[
{
"path": ".gitignore",
"content": "# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n*$py.class\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\nwheels/\npip-wheel-metadata/\nshare/python-wheels/\n*.egg-info/\n.installed.cfg\n*.egg\nMANIFEST\n\n# PyInstaller\n# Usually these files are written by a python script from a template\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.nox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*.cover\n*.py,cover\n.hypothesis/\n.pytest_cache/\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\nlocal_settings.py\ndb.sqlite3\ndb.sqlite3-journal\n\n# Flask stuff:\ninstance/\n.webassets-cache\n\n# Scrapy stuff:\n.scrapy\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n\n# Jupyter Notebook\n.ipynb_checkpoints\n\n# IPython\nprofile_default/\nipython_config.py\n\n# pyenv\n.python-version\n\n# pipenv\n# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.\n# However, in case of collaboration, if having platform-specific dependencies or dependencies\n# having no cross-platform support, pipenv may install dependencies that don't work, or not\n# install all needed dependencies.\n#Pipfile.lock\n\n# PEP 582; used by e.g. github.com/David-OConnor/pyflow\n__pypackages__/\n\n# Celery stuff\ncelerybeat-schedule\ncelerybeat.pid\n\n# SageMath parsed files\n*.sage.py\n\n# Environments\n.env\n.venv\nenv/\nvenv/\nENV/\nenv.bak/\nvenv.bak/\n\n# Spyder project settings\n.spyderproject\n.spyproject\n\n# Rope project settings\n.ropeproject\n\n# mkdocs documentation\n/site\n\n# mypy\n.mypy_cache/\n.dmypy.json\ndmypy.json\n\n# Pyre type checker\n.pyre/\n"
},
{
"path": "LICENSE",
"content": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free Software Foundation, Inc. \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The GNU General Public License is a free, copyleft license for\nsoftware and other kinds of works.\n\n The licenses for most software and other practical works are designed\nto take away your freedom to share and change the works. By contrast,\nthe GNU General Public License is intended to guarantee your freedom to\nshare and change all versions of a program--to make sure it remains free\nsoftware for all its users. We, the Free Software Foundation, use the\nGNU General Public License for most of our software; it applies also to\nany other work released this way by its authors. You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\n To protect your rights, we need to prevent others from denying you\nthese rights or asking you to surrender the rights. Therefore, you have\ncertain responsibilities if you distribute copies of the software, or if\nyou modify it: responsibilities to respect the freedom of others.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must pass on to the recipients the same\nfreedoms that you received. You must make sure that they, too, receive\nor can get the source code. And you must show them these terms so they\nknow their rights.\n\n Developers that use the GNU GPL protect your rights with two steps:\n(1) assert copyright on the software, and (2) offer you this License\ngiving you legal permission to copy, distribute and/or modify it.\n\n For the developers' and authors' protection, the GPL clearly explains\nthat there is no warranty for this free software. For both users' and\nauthors' sake, the GPL requires that modified versions be marked as\nchanged, so that their problems will not be attributed erroneously to\nauthors of previous versions.\n\n Some devices are designed to deny users access to install or run\nmodified versions of the software inside them, although the manufacturer\ncan do so. This is fundamentally incompatible with the aim of\nprotecting users' freedom to change the software. The systematic\npattern of such abuse occurs in the area of products for individuals to\nuse, which is precisely where it is most unacceptable. Therefore, we\nhave designed this version of the GPL to prohibit the practice for those\nproducts. If such problems arise substantially in other domains, we\nstand ready to extend this provision to those domains in future versions\nof the GPL, as needed to protect the freedom of users.\n\n Finally, every program is threatened constantly by software patents.\nStates should not allow patents to restrict development and use of\nsoftware on general-purpose computers, but in those that do, we wish to\navoid the special danger that patents applied to a free program could\nmake it effectively proprietary. To prevent this, the GPL assures that\npatents cannot be used to render the program non-free.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n TERMS AND CONDITIONS\n\n 0. Definitions.\n\n \"This License\" refers to version 3 of the GNU General Public License.\n\n \"Copyright\" also means copyright-like laws that apply to other kinds of\nworks, such as semiconductor masks.\n\n \"The Program\" refers to any copyrightable work licensed under this\nLicense. Each licensee is addressed as \"you\". \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\n To \"modify\" a work means to copy from or adapt all or part of the work\nin a fashion requiring copyright permission, other than the making of an\nexact copy. The resulting work is called a \"modified version\" of the\nearlier work or a work \"based on\" the earlier work.\n\n A \"covered work\" means either the unmodified Program or a work based\non the Program.\n\n To \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy. Propagation includes copying,\ndistribution (with or without modification), making available to the\npublic, and in some countries other activities as well.\n\n To \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies. Mere interaction with a user through\na computer network, with no transfer of a copy, is not conveying.\n\n An interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to the\nextent that warranties are provided), that licensees may convey the\nwork under this License, and how to view a copy of this License. If\nthe interface presents a list of user commands or options, such as a\nmenu, a prominent item in the list meets this criterion.\n\n 1. Source Code.\n\n The \"source code\" for a work means the preferred form of the work\nfor making modifications to it. \"Object code\" means any non-source\nform of a work.\n\n A \"Standard Interface\" means an interface that either is an official\nstandard defined by a recognized standards body, or, in the case of\ninterfaces specified for a particular programming language, one that\nis widely used among developers working in that language.\n\n The \"System Libraries\" of an executable work include anything, other\nthan the work as a whole, that (a) is included in the normal form of\npackaging a Major Component, but which is not part of that Major\nComponent, and (b) serves only to enable use of the work with that\nMajor Component, or to implement a Standard Interface for which an\nimplementation is available to the public in source code form. A\n\"Major Component\", in this context, means a major essential component\n(kernel, window system, and so on) of the specific operating system\n(if any) on which the executable work runs, or a compiler used to\nproduce the work, or an object code interpreter used to run it.\n\n The \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts to\ncontrol those activities. However, it does not include the work's\nSystem Libraries, or general-purpose tools or generally available free\nprograms which are used unmodified in performing those activities but\nwhich are not part of the work. For example, Corresponding Source\nincludes interface definition files associated with source files for\nthe work, and the source code for shared libraries and dynamically\nlinked subprograms that the work is specifically designed to require,\nsuch as by intimate data communication or control flow between those\nsubprograms and other parts of the work.\n\n The Corresponding Source need not include anything that users\ncan regenerate automatically from other parts of the Corresponding\nSource.\n\n The Corresponding Source for a work in source code form is that\nsame work.\n\n 2. Basic Permissions.\n\n All rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met. This License explicitly affirms your unlimited\npermission to run the unmodified Program. The output from running a\ncovered work is covered by this License only if the output, given its\ncontent, constitutes a covered work. This License acknowledges your\nrights of fair use or other equivalent, as provided by copyright law.\n\n You may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise remains\nin force. You may convey covered works to others for the sole purpose\nof having them make modifications exclusively for you, or provide you\nwith facilities for running those works, provided that you comply with\nthe terms of this License in conveying all material for which you do\nnot control copyright. Those thus making or running the covered works\nfor you must do so exclusively on your behalf, under your direction\nand control, on terms that prohibit them from making any copies of\nyour copyrighted material outside their relationship with you.\n\n Conveying under any other circumstances is permitted solely under\nthe conditions stated below. Sublicensing is not allowed; section 10\nmakes it unnecessary.\n\n 3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\n No covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under article\n11 of the WIPO copyright treaty adopted on 20 December 1996, or\nsimilar laws prohibiting or restricting circumvention of such\nmeasures.\n\n When you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such circumvention\nis effected by exercising rights under this License with respect to\nthe covered work, and you disclaim any intention to limit operation or\nmodification of the work as a means of enforcing, against the work's\nusers, your or third parties' legal rights to forbid circumvention of\ntechnological measures.\n\n 4. Conveying Verbatim Copies.\n\n You may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the code;\nkeep intact all notices of the absence of any warranty; and give all\nrecipients a copy of this License along with the Program.\n\n You may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n 5. Conveying Modified Source Versions.\n\n You may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these conditions:\n\n a) The work must carry prominent notices stating that you modified\n it, and giving a relevant date.\n\n b) The work must carry prominent notices stating that it is\n released under this License and any conditions added under section\n 7. This requirement modifies the requirement in section 4 to\n \"keep intact all notices\".\n\n c) You must license the entire work, as a whole, under this\n License to anyone who comes into possession of a copy. This\n License will therefore apply, along with any applicable section 7\n additional terms, to the whole of the work, and all its parts,\n regardless of how they are packaged. This License gives no\n permission to license the work in any other way, but it does not\n invalidate such permission if you have separately received it.\n\n d) If the work has interactive user interfaces, each must display\n Appropriate Legal Notices; however, if the Program has interactive\n interfaces that do not display Appropriate Legal Notices, your\n work need not make them do so.\n\n A compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered work,\nand which are not combined with it such as to form a larger program,\nin or on a volume of a storage or distribution medium, is called an\n\"aggregate\" if the compilation and its resulting copyright are not\nused to limit the access or legal rights of the compilation's users\nbeyond what the individual works permit. Inclusion of a covered work\nin an aggregate does not cause this License to apply to the other\nparts of the aggregate.\n\n 6. Conveying Non-Source Forms.\n\n You may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this License,\nin one of these ways:\n\n a) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by the\n Corresponding Source fixed on a durable physical medium\n customarily used for software interchange.\n\n b) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by a\n written offer, valid for at least three years and valid for as\n long as you offer spare parts or customer support for that product\n model, to give anyone who possesses the object code either (1) a\n copy of the Corresponding Source for all the software in the\n product that is covered by this License, on a durable physical\n medium customarily used for software interchange, for a price no\n more than your reasonable cost of physically performing this\n conveying of source, or (2) access to copy the\n Corresponding Source from a network server at no charge.\n\n c) Convey individual copies of the object code with a copy of the\n written offer to provide the Corresponding Source. This\n alternative is allowed only occasionally and noncommercially, and\n only if you received the object code with such an offer, in accord\n with subsection 6b.\n\n d) Convey the object code by offering access from a designated\n place (gratis or for a charge), and offer equivalent access to the\n Corresponding Source in the same way through the same place at no\n further charge. You need not require recipients to copy the\n Corresponding Source along with the object code. If the place to\n copy the object code is a network server, the Corresponding Source\n may be on a different server (operated by you or a third party)\n that supports equivalent copying facilities, provided you maintain\n clear directions next to the object code saying where to find the\n Corresponding Source. Regardless of what server hosts the\n Corresponding Source, you remain obligated to ensure that it is\n available for as long as needed to satisfy these requirements.\n\n e) Convey the object code using peer-to-peer transmission, provided\n you inform other peers where the object code and Corresponding\n Source of the work are being offered to the general public at no\n charge under subsection 6d.\n\n A separable portion of the object code, whose source code is excluded\nfrom the Corresponding Source as a System Library, need not be\nincluded in conveying the object code work.\n\n A \"User Product\" is either (1) a \"consumer product\", which means any\ntangible personal property which is normally used for personal, family,\nor household purposes, or (2) anything designed or sold for incorporation\ninto a dwelling. In determining whether a product is a consumer product,\ndoubtful cases shall be resolved in favor of coverage. For a particular\nproduct received by a particular user, \"normally used\" refers to a\ntypical or common use of that class of product, regardless of the status\nof the particular user or of the way in which the particular user\nactually uses, or expects or is expected to use, the product. A product\nis a consumer product regardless of whether the product has substantial\ncommercial, industrial or non-consumer uses, unless such uses represent\nthe only significant mode of use of the product.\n\n \"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to install\nand execute modified versions of a covered work in that User Product from\na modified version of its Corresponding Source. The information must\nsuffice to ensure that the continued functioning of the modified object\ncode is in no case prevented or interfered with solely because\nmodification has been made.\n\n If you convey an object code work under this section in, or with, or\nspecifically for use in, a User Product, and the conveying occurs as\npart of a transaction in which the right of possession and use of the\nUser Product is transferred to the recipient in perpetuity or for a\nfixed term (regardless of how the transaction is characterized), the\nCorresponding Source conveyed under this section must be accompanied\nby the Installation Information. But this requirement does not apply\nif neither you nor any third party retains the ability to install\nmodified object code on the User Product (for example, the work has\nbeen installed in ROM).\n\n The requirement to provide Installation Information does not include a\nrequirement to continue to provide support service, warranty, or updates\nfor a work that has been modified or installed by the recipient, or for\nthe User Product in which it has been modified or installed. Access to a\nnetwork may be denied when the modification itself materially and\nadversely affects the operation of the network or violates the rules and\nprotocols for communication across the network.\n\n Corresponding Source conveyed, and Installation Information provided,\nin accord with this section must be in a format that is publicly\ndocumented (and with an implementation available to the public in\nsource code form), and must require no special password or key for\nunpacking, reading or copying.\n\n 7. Additional Terms.\n\n \"Additional permissions\" are terms that supplement the terms of this\nLicense by making exceptions from one or more of its conditions.\nAdditional permissions that are applicable to the entire Program shall\nbe treated as though they were included in this License, to the extent\nthat they are valid under applicable law. If additional permissions\napply only to part of the Program, that part may be used separately\nunder those permissions, but the entire Program remains governed by\nthis License without regard to the additional permissions.\n\n When you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part of\nit. (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.) You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\n Notwithstanding any other provision of this License, for material you\nadd to a covered work, you may (if authorized by the copyright holders of\nthat material) supplement the terms of this License with terms:\n\n a) Disclaiming warranty or limiting liability differently from the\n terms of sections 15 and 16 of this License; or\n\n b) Requiring preservation of specified reasonable legal notices or\n author attributions in that material or in the Appropriate Legal\n Notices displayed by works containing it; or\n\n c) Prohibiting misrepresentation of the origin of that material, or\n requiring that modified versions of such material be marked in\n reasonable ways as different from the original version; or\n\n d) Limiting the use for publicity purposes of names of licensors or\n authors of the material; or\n\n e) Declining to grant rights under trademark law for use of some\n trade names, trademarks, or service marks; or\n\n f) Requiring indemnification of licensors and authors of that\n material by anyone who conveys the material (or modified versions of\n it) with contractual assumptions of liability to the recipient, for\n any liability that these contractual assumptions directly impose on\n those licensors and authors.\n\n All other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10. If the Program as you\nreceived it, or any part of it, contains a notice stating that it is\ngoverned by this License along with a term that is a further\nrestriction, you may remove that term. If a license document contains\na further restriction but permits relicensing or conveying under this\nLicense, you may add to a covered work material governed by the terms\nof that license document, provided that the further restriction does\nnot survive such relicensing or conveying.\n\n If you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\n Additional terms, permissive or non-permissive, may be stated in the\nform of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n 8. Termination.\n\n You may not propagate or modify a covered work except as expressly\nprovided under this License. Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights under\nthis License (including any patent licenses granted under the third\nparagraph of section 11).\n\n However, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the copyright\nholder fails to notify you of the violation by some reasonable means\nprior to 60 days after the cessation.\n\n Moreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from that\ncopyright holder, and you cure the violation prior to 30 days after\nyour receipt of the notice.\n\n Termination of your rights under this section does not terminate the\nlicenses of parties who have received copies or rights from you under\nthis License. If your rights have been terminated and not permanently\nreinstated, you do not qualify to receive new licenses for the same\nmaterial under section 10.\n\n 9. Acceptance Not Required for Having Copies.\n\n You are not required to accept this License in order to receive or\nrun a copy of the Program. Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer transmission\nto receive a copy likewise does not require acceptance. However,\nnothing other than this License grants you permission to propagate or\nmodify any covered work. These actions infringe copyright if you do\nnot accept this License. Therefore, by modifying or propagating a\ncovered work, you indicate your acceptance of this License to do so.\n\n 10. Automatic Licensing of Downstream Recipients.\n\n Each time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License. You are not responsible\nfor enforcing compliance by third parties with this License.\n\n An \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations. If propagation of a covered\nwork results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or could\ngive under the previous paragraph, plus a right to possession of the\nCorresponding Source of the work from the predecessor in interest, if\nthe predecessor has it or can get it with reasonable efforts.\n\n You may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License. For example, you may\nnot impose a license fee, royalty, or other charge for exercise of\nrights granted under this License, and you may not initiate litigation\n(including a cross-claim or counterclaim in a lawsuit) alleging that\nany patent claim is infringed by making, using, selling, offering for\nsale, or importing the Program or any portion of it.\n\n 11. Patents.\n\n A \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based. The\nwork thus licensed is called the contributor's \"contributor version\".\n\n A contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner, permitted\nby this License, of making, using, or selling its contributor version,\nbut do not include claims that would be infringed only as a\nconsequence of further modification of the contributor version. For\npurposes of this definition, \"control\" includes the right to grant\npatent sublicenses in a manner consistent with the requirements of\nthis License.\n\n Each contributor grants you a non-exclusive, worldwide, royalty-free\npatent license under the contributor's essential patent claims, to\nmake, use, sell, offer for sale, import and otherwise run, modify and\npropagate the contents of its contributor version.\n\n In the following three paragraphs, a \"patent license\" is any express\nagreement or commitment, however denominated, not to enforce a patent\n(such as an express permission to practice a patent or covenant not to\nsue for patent infringement). To \"grant\" such a patent license to a\nparty means to make such an agreement or commitment not to enforce a\npatent against the party.\n\n If you convey a covered work, knowingly relying on a patent license,\nand the Corresponding Source of the work is not available for anyone\nto copy, free of charge and under the terms of this License, through a\npublicly available network server or other readily accessible means,\nthen you must either (1) cause the Corresponding Source to be so\navailable, or (2) arrange to deprive yourself of the benefit of the\npatent license for this particular work, or (3) arrange, in a manner\nconsistent with the requirements of this License, to extend the patent\nlicense to downstream recipients. \"Knowingly relying\" means you have\nactual knowledge that, but for the patent license, your conveying the\ncovered work in a country, or your recipient's use of the covered work\nin a country, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\n If, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate, modify\nor convey a specific copy of the covered work, then the patent license\nyou grant is automatically extended to all recipients of the covered\nwork and works based on it.\n\n A patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that are\nspecifically granted under this License. You may not convey a covered\nwork if you are a party to an arrangement with a third party that is\nin the business of distributing software, under which you make payment\nto the third party based on the extent of your activity of conveying\nthe work, and under which the third party grants, to any of the\nparties who would receive the covered work from you, a discriminatory\npatent license (a) in connection with copies of the covered work\nconveyed by you (or copies made from those copies), or (b) primarily\nfor and in connection with specific products or compilations that\ncontain the covered work, unless you entered into that arrangement,\nor that patent license was granted, prior to 28 March 2007.\n\n Nothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n 12. No Surrender of Others' Freedom.\n\n If conditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot convey a\ncovered work so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you may\nnot convey it at all. For example, if you agree to terms that obligate you\nto collect a royalty for further conveying from those to whom you convey\nthe Program, the only way you could satisfy both those terms and this\nLicense would be to refrain entirely from conveying the Program.\n\n 13. Use with the GNU Affero General Public License.\n\n Notwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU Affero General Public License into a single\ncombined work, and to convey the resulting work. The terms of this\nLicense will continue to apply to the part which is the covered work,\nbut the special requirements of the GNU Affero General Public License,\nsection 13, concerning interaction through a network will apply to the\ncombination as such.\n\n 14. Revised Versions of this License.\n\n The Free Software Foundation may publish revised and/or new versions of\nthe GNU General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\n Each version is given a distinguishing version number. If the\nProgram specifies that a certain numbered version of the GNU General\nPublic License \"or any later version\" applies to it, you have the\noption of following the terms and conditions either of that numbered\nversion or of any later version published by the Free Software\nFoundation. If the Program does not specify a version number of the\nGNU General Public License, you may choose any version ever published\nby the Free Software Foundation.\n\n If the Program specifies that a proxy can decide which future\nversions of the GNU General Public License can be used, that proxy's\npublic statement of acceptance of a version permanently authorizes you\nto choose that version for the Program.\n\n Later license versions may give you additional or different\npermissions. However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n 15. Disclaimer of Warranty.\n\n THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT\nHOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY\nOF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,\nTHE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\nPURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM\nIS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF\nALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n 16. Limitation of Liability.\n\n IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS\nTHE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY\nGENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE\nUSE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF\nDATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),\nEVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGES.\n\n 17. Interpretation of Sections 15 and 16.\n\n If the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely approximates\nan absolute waiver of all civil liability in connection with the\nProgram, unless a warranty or assumption of liability accompanies a\ncopy of the Program in return for a fee.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n \n Copyright (C) \n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program. If not, see .\n\nAlso add information on how to contact you by electronic and paper mail.\n\n If the program does terminal interaction, make it output a short\nnotice like this when it starts in an interactive mode:\n\n Copyright (C) \n This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n This is free software, and you are welcome to redistribute it\n under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License. Of course, your program's commands\nmight be different; for a GUI interface, you would use an \"about box\".\n\n You should also get your employer (if you work as a programmer) or school,\nif any, to sign a \"copyright disclaimer\" for the program, if necessary.\nFor more information on this, and how to apply and follow the GNU GPL, see\n.\n\n The GNU General Public License does not permit incorporating your program\ninto proprietary programs. If your program is a subroutine library, you\nmay consider it more useful to permit linking proprietary applications with\nthe library. If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License. But first, please read\n.\n"
},
{
"path": "README-dev.md",
"content": "# 开发文档\n\n这里主要介绍如何构建这个项目的。主要分为几步:替换镜像,重新打标签上传到私有镜像仓库,生成安装文档。\n\n运行命令:\n```bash\npython pre-install.py\npython install.py\n```\n\n## 实现原理\n\n### 预处理\n\n通过 `kustomize build --load_restrictor=none` 生成镜像目标yaml 文件\n\n### 替换镜像\n\n替换镜像主要是 `replace.py`实现,主要从 deployment, statefulset 找到镜像字段,重新打标签替换成新的镜像仓库地址,push上传到私有镜像仓库\n\n### 安装文件\n\n运行`python install.py` 安装文件。\n\n## PATCH文件\n\npatch文件主要针对官方yaml安装使用过程中的一些问题打的补丁\n\n### 鉴权问题\n`auth.yaml` 主要用于创建用户自己的账号,用户名`admin@example.com`,密码`password`\n\n### istio报istio-token找不到\n\n主要是由于istio的JWT策略用到第三方鉴权,有些k8s版本不支持,可以将isito中的 `third-party-jwt` 改成 `first-party-jwt`,详细见`cluster-local-gateway.yaml`,`istio-ingressgateway.yaml`,`istiod.yaml`。\n\n### 创建jupyter的时候返回 Could not find CSRF cookie XSRF-TOKEN 错误\n\n主要是由于jupyter-web-app的安全验证策略导致的,详细见https://github.com/kubeflow/kubeflow/issues/5803\n解决方案环境变量加上`APP_SECURE_COOKIES=false`,修改见`jupyter-web-app.yaml`\n\n### 解决docker.sock not found 问题\n\n因为 kind 使用的 containerd 作为容器运行时,而 argo workflow 默认 Workflow Executors使用的是 docker ,他会尝试挂载宿主机的 `docker.sock`,如果不存在就会报错,这里尝试将`workflow-controller-configmap`的`containerRuntimeExecutor` 改为 `k8sapi` 更换 Workflow Executors 来解决。详细见:https://argoproj.github.io/argo-workflows/workflow-executors/"
},
{
"path": "README.md",
"content": "# Kubeflow安装及使用教程(中国版)\n\n由于国内网络问题,Kubeflow 通常安装都是各种磕磕碰碰,以一颗为广大人民谋福利的心,这里提供中国的本地镜像版(阿里云镜像/dockerhub)的**安装**。\n同时这里汇总了一些kubeflow的中文教程资料供大家参考。\n\n## Kubeflow 使用教程\n- [kubeflow安装](/README.md)\n- [kubeflow各组件介绍](/docs/introduction.md)\n- [问题汇总](/docs/problems.md)\n\n## 安装步骤\n\n### 安装k8s\n\n如果已经有k8s集群,这一步可以跳过,直接到[kubeflow安装](https://github.com/shikanon/kubeflow-manifests#%E5%AE%89%E8%A3%85kubeflow)。\n\n**kind安装k8s集群**\n\n下载[kind工具](https://github.com/kubernetes-sigs/kind/tags)\n\n使用kind安装k8s集群:\n\n```bash\n$ kind create cluster --config=kind/kind-config.yaml --name=kubeflow --image=kindest/node:v1.16.15\n```\n\n启动成功后可以看到开了一个30000端口:\n```bash\n$ docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n5f67af713e28 kindest/node:v1.19.1 \"/usr/local/bin/entr…\" 3 minutes ago Up 3 minutes 0.0.0.0:30000->30000/tcp, 127.0.0.1:56682->6443/tcp kubeflow-control-plane\n```\n\n由于 kubeflow 实验组件较多,最好准备机器的最低配置能够大于*CPU8核,内存32G*以上。\n\n### 安装kubeflow\n\n**2.启动**\n```bash\n$ python install.py\n```\n\n等待镜像拉取,由于涉及的镜像比较多,要20~30分钟左右,可以通过命令查看是否就绪:\n\n**3.查看结果**\n```\n$ kubectl get pod -nkubeflow\nNAME READY STATUS RESTARTS AGE\nadmission-webhook-deployment-6fb9d65887-pzvgc 1/1 Running 0 19h\ncache-deployer-deployment-7558d65bf4-jhgwg 2/2 Running 1 3h54m\ncache-server-c64c68ddf-lx7xq 2/2 Running 0 3h54m\ncentraldashboard-7b7676d8bd-g2s8j 1/1 Running 0 4h46m\njupyter-web-app-deployment-66f74586d9-scbsm 1/1 Running 0 3h4m\nkatib-controller-77675c88df-mx4rh 1/1 Running 0 19h\nkatib-db-manager-646695754f-z797r 1/1 Running 0 19h\nkatib-mysql-5bb5bd9957-gbl5t 1/1 Running 0 19h\nkatib-ui-55fd4bd6f9-r98r2 1/1 Running 0 19h\nkfserving-controller-manager-0 2/2 Running 0 19h\nkubeflow-pipelines-profile-controller-5698bf57cf-dhtsj 1/1 Running 0 3h52m\nmetacontroller-0 1/1 Running 0 4h52m\nmetadata-envoy-deployment-76d65977f7-rmlzc 1/1 Running 0 4h52m\nmetadata-grpc-deployment-697d9c6c67-j6dl2 2/2 Running 3 4h52m\nmetadata-writer-58cdd57678-8t6gw 2/2 Running 1 4h52m\nminio-6d6784db95-tqs77 2/2 Running 0 4h45m\nml-pipeline-85fc99f899-plsz2 2/2 Running 1 4h52m\nml-pipeline-persistenceagent-65cb9594c7-xvn4j 2/2 Running 1 4h52m\nml-pipeline-scheduledworkflow-7f8d8dfc69-7wfs4 2/2 Running 0 4h52m\nml-pipeline-ui-5c765cc7bd-4r2j7 2/2 Running 0 4h52m\nml-pipeline-viewer-crd-5b8df7f458-5b8qg 2/2 Running 1 4h52m\nml-pipeline-visualizationserver-56c5ff68d5-92bkf 2/2 Running 0 4h52m\nmpi-operator-789f88879-n4xms 1/1 Running 0 19h\nmxnet-operator-7fff864957-vq2bg 1/1 Running 0 19h\nmysql-56b554ff66-kd7bd 2/2 Running 0 4h45m\nnotebook-controller-deployment-74d9584477-qhpp8 1/1 Running 0 19h\nprofiles-deployment-67b4666796-k7t2h 2/2 Running 0 19h\npytorch-operator-fd86f7694-dxbgf 2/2 Running 0 19h\ntensorboard-controller-controller-manager-fd6bcffb4-k9qvx 3/3 Running 1 19h\ntensorboards-web-app-deployment-78d7b8b658-dktc6 1/1 Running 0 19h\ntf-job-operator-7bc5cf4cc7-gk8tz 1/1 Running 0 19h\nvolumes-web-app-deployment-68fcfc9775-bz9gq 1/1 Running 0 19h\nworkflow-controller-566998f76b-2v2kq 2/2 Running 1 4h52m\nxgboost-operator-deployment-5c7bfd57cc-9rtq6 2/2 Running 1 19h\n```\n\n如果所有pod 都running了表示安装完了。\n\n*注:除了kubeflow命名空间,该一键安装工具也会安装istio,knative,因此也要保证这两个命名空间下的服务全部running*\n*如果你的mysql没启动成功,可以运行kubectl apply -f database-patch/mysql-persistent-storage.yaml*\n\n全部pod running后,可以访问本地的30000端口(istio-ingressgateway设置了nodeport为30000端口),就可以看到登录界面了:\n\n\n输入账号密码即可登录,这里的账号密码可以通过`patch/auth.yaml`进行更改。\n默认的用户名是`admin@example.com`,密码是`password`\n\n登录后进入kubeflow界面:\n\n\n### 删除kubeflow资源\n\n```bash\n kind delete cluster --name kubeflow\n```\n\n**如果不希望流量鉴权,可以把istio的authorizationpolicies全部删除**\n```bash\nkubectl delete authorizationpolicies --all -A\n```"
},
{
"path": "database-patch/mysql-persistent-storage.yaml",
"content": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: mysql\n application-crd-id: kubeflow-pipelines\n name: mysql\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: mysql\n application-crd-id: kubeflow-pipelines\n strategy:\n type: Recreate\n template:\n metadata:\n labels:\n app: mysql\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --ignore-db-dir=lost+found\n - --datadir\n - /var/lib/mysql\n env:\n - name: MYSQL_ALLOW_EMPTY_PASSWORD\n value: \"true\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-mysql:5.7-f8fcd\n name: mysql\n ports:\n - containerPort: 3306\n name: mysql\n resources:\n requests:\n cpu: 100m\n memory: 800Mi\n volumeMounts:\n - mountPath: /var/lib/mysql\n name: mysql-persistent-storage\n serviceAccountName: mysql\n volumes:\n - name: mysql-persistent-storage\n emptyDir:\n {}\n"
},
{
"path": "docs/introduction.md",
"content": "# Introduction\n\n---\n\n\n\n可以看到新版的kubeflow多了很多功能。\n\n这里按模块介绍下 Kubeflow 的几个核心组件。\n- Notebook Servers,作为一个管理线上交互实验的记录工具,可以帮助算法人员快速完成算法实验,同时notebook server 提供了统一的文档管理能力。\n- AutoML,提供自动化的服务,对特征处理、特征选择、模型选择、模型参数的配置、模型训练和评估等方面,实现了全自动建模,降低算法人员手动实验次数。\n- Pipeline,提供一个算法流水线的工程化工具,将算法各流程模块以拓扑图的形式组合起来,同时结合 argo 可以实现 MLOps。\n- Serverless,将模型直接发布成一个对外的服务,缩短从实验到生产的路径。\n\n\n\n## Notebook Servers\n\nnotebook 可以说是做机器学习最喜欢用到的工具了,完美的将动态语言的交互性发挥出来,kubeflow 提供了 jupyter notebook 来快速构建云上的实验环境,这里以一个我们自定义的镜像为例:\n\n\n\n我们创建了一个`test-for-jupyter`名字的镜像,配置了一个 tensorflow 的镜像,点击启动,我们可以看到在`kubeflow-user-example-com`命名空间下已经创建我们的应用了:\n```bash\nkubectl get po -nkubeflow-user-example-com\nNAME READY STATUS RESTARTS AGE\nml-pipeline-ui-artifact-6d7ffcc4b6-9kxkk 2/2 Running 0 48m\nml-pipeline-visualizationserver-84d577b989-5hl46 2/2 Running 0 48m\ntest-for-jupyter-0 0/2 PodInitializing 0 44s\n```\n\n\n\n创建完成后点击 connect 就可以进入我们创建的应用界面中了\n\n\n\n\n在 jupyterlab 环境中开发人员可以很方便的进行算法实验,同时由于运行在云上利用 k8s api甚至可以很方便构建k8s资源,比如通过 kfserving 创建一个ML服务。\n\n\n\n\n## AutoML\n\nAutoML 是机器学习比较热的领域,主要用来模型自动优化和超参数调整,这里其实是用的 Katib来实现的,一个基于k8s的 AutoML 项目,详细见https://github.com/kubeflow/katib。\n\nKatib 主要提供了 超参数调整(Hyperparameter Tuning),早停法(Early Stopping)和神经网络架构搜索(Neural Architecture Search)\n\n这里以一个随机搜索算法为例:\n```yaml\napiVersion: \"kubeflow.org/v1beta1\"\nkind: Experiment\nmetadata:\n namespace: kubeflow-user-example-com\n name: random-example\nspec:\n objective:\n type: maximize\n goal: 0.99\n objectiveMetricName: Validation-accuracy\n additionalMetricNames:\n - Train-accuracy\n algorithm:\n algorithmName: random\n parallelTrialCount: 3\n maxTrialCount: 12\n maxFailedTrialCount: 3\n parameters:\n - name: lr\n parameterType: double\n feasibleSpace:\n min: \"0.01\"\n max: \"0.03\"\n - name: num-layers\n parameterType: int\n feasibleSpace:\n min: \"2\"\n max: \"5\"\n - name: optimizer\n parameterType: categorical\n feasibleSpace:\n list:\n - sgd\n - adam\n - ftrl\n trialTemplate:\n primaryContainerName: training-container\n trialParameters:\n - name: learningRate\n description: Learning rate for the training model\n reference: lr\n - name: numberLayers\n description: Number of training model layers\n reference: num-layers\n - name: optimizer\n description: Training model optimizer (sdg, adam or ftrl)\n reference: optimizer\n trialSpec:\n apiVersion: batch/v1\n kind: Job\n spec:\n template:\n spec:\n containers:\n - name: training-container\n image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727\n command:\n - \"python3\"\n - \"/opt/mxnet-mnist/mnist.py\"\n - \"--batch-size=64\"\n - \"--lr=${trialParameters.learningRate}\"\n - \"--num-layers=${trialParameters.numberLayers}\"\n - \"--optimizer=${trialParameters.optimizer}\"\n restartPolicy: Never\n```\n\n这里以一个简单的神经网络为例,该程序具有三个参数 lr, num-layers, optimizer,采用的算法是随机搜索,目标是最大化准确率(accuracy)。\n\n可以直接在界面中填上yaml文件,然后提交,完成后会生成一张各参数和准确率的关系图和训练列表:\n\n\n\n## Experiments and Pipelines\n\nexperiments 为我们提供了一个可以创建实验空间功能, `pipeline` 定义了算法组合的模板,通过 `pipeline` 我们可以将算法中各处理模块按特定的拓扑图的方式组合起来。\n\n这里可以看看官方提供的几个 pipeline 例子:\n\n\n\nkubeflow `pipeline` 本质是基于 argo `workflow` 实现,**由于我们的kubeflow是基于kind上构建的,容器运行时用的containerd,而workflow默认的pipeline执行器是docker,因此有些特性不兼容**,这块可以见 argo workflow 官方说明:https://argoproj.github.io/argo-workflows/workflow-executors/。\n这里我是把 workflow 的 `containerRuntimeExecutor` 改成了 `k8sapi`。但 `k8sapi` 由于在 workflow 是二级公民,因此有些功能不能用,比如 kubeflow pipeline 在 input/output 的 artifacts 需要用到 `docker cp` 命令,可以参考这个issue: https://github.com/argoproj/argo-workflows/issues/2685#issuecomment-613632304\n\n由于以上原因 kubeflow 默认给的几个案例并没有用 volumes 是无法在 kind 中运行起来,这里我们基于 argo workflow 语法自己实现一个 `pipeline`\n\n### 基于pipeline构建一个的工作流水\n\n**第一步,构建一个 workflow pipeline 文件:**\n\n```yaml\napiVersion: argoproj.io/v1alpha1\nkind: Workflow\nmetadata:\n generateName: kubeflow-test-\nspec:\n entrypoint: kubeflow-test\n templates:\n - name: kubeflow-test\n dag:\n tasks:\n - name: print-text\n template: print-text\n dependencies: [repeat-line]\n - {name: repeat-line, template: repeat-line}\n - name: repeat-line\n container:\n args: [--line, Hello, --count, '15', --output-text, /gotest/outputs/output_text/data]\n command:\n - sh\n - -ec\n - |\n program_path=$(mktemp)\n printf \"%s\" \"$0\" > \"$program_path\"\n python3 -u \"$program_path\" \"$@\"\n - |\n def _make_parent_dirs_and_return_path(file_path: str):\n import os\n os.makedirs(os.path.dirname(file_path), exist_ok=True)\n return file_path\n\n def repeat_line(line, output_text_path, count = 10):\n '''Repeat the line specified number of times'''\n with open(output_text_path, 'w') as writer:\n for i in range(count):\n writer.write(line + '\\n')\n\n import argparse\n _parser = argparse.ArgumentParser(prog='Repeat line', description='Repeat the line specified number of times')\n _parser.add_argument(\"--line\", dest=\"line\", type=str, required=True, default=argparse.SUPPRESS)\n _parser.add_argument(\"--count\", dest=\"count\", type=int, required=False, default=argparse.SUPPRESS)\n _parser.add_argument(\"--output-text\", dest=\"output_text_path\", type=_make_parent_dirs_and_return_path, required=True, default=argparse.SUPPRESS)\n _parsed_args = vars(_parser.parse_args())\n\n _outputs = repeat_line(**_parsed_args)\n image: python:3.7\n volumeMounts:\n - name: workdir\n mountPath: /gotest/outputs/output_text/\n volumes:\n - name: workdir\n persistentVolumeClaim:\n claimName: kubeflow-test-pv\n metadata:\n annotations: \n - name: print-text\n container:\n args: [--text, /gotest/outputs/output_text/data]\n command:\n - sh\n - -ec\n - |\n program_path=$(mktemp)\n printf \"%s\" \"$0\" > \"$program_path\"\n python3 -u \"$program_path\" \"$@\"\n - |\n def print_text(text_path): # The \"text\" input is untyped so that any data can be printed\n '''Print text'''\n with open(text_path, 'r') as reader:\n for line in reader:\n print(line, end = '')\n\n import argparse\n _parser = argparse.ArgumentParser(prog='Print text', description='Print text')\n _parser.add_argument(\"--text\", dest=\"text_path\", type=str, required=True, default=argparse.SUPPRESS)\n _parsed_args = vars(_parser.parse_args())\n\n _outputs = print_text(**_parsed_args)\n image: python:3.7\n volumeMounts:\n - name: workdir\n mountPath: /gotest/outputs/output_text/\n volumes:\n - name: workdir\n persistentVolumeClaim:\n claimName: kubeflow-test-pv\n metadata:\n annotations: \n```\n\nargo workflow 的语法可以参考:https://argoproj.github.io/argo-workflows/variables/\n\n这里我们定义了两个任务 repeat-line 和 print-text, repeat-line 任务会将生产结果写入 `kubeflow-test-pv` 的 PVC 中, print-text 会从 PVC 中读取数据输出到 stdout。\n\n这里由于用到 PVC,我们需要先在集群中创建一个`kubeflow-test-pv`的PVC:\n```yaml\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: kubeflow-test-pv\n namespace: kubeflow-user-example-com\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 128Mi\n```\n\n\n**第二步,定义好 pipeline 文件后可以创建pipeline:**\n\n\n\n**第三步,启动一个pipeline:**\n\n\n\n启动 pipeline 除了单次运行模式 one-off,也支持定时器循环模式 Recurring,这块可以根据自己的需求确定。\n\n**查看运行结果:**\n\n\n\n运行完后,可以将实验进行归档(Archived)。\n\n\n\n## 关于 MLOps 的一点思考\n\n我们来看一个简单的 ML 运作流程:\n\n\n这是一个 google 提供的 level 1 级别的机器学习流水线自动化,整个流水线包括以下几部分:\n- 构建快速算法实验的环境(experimentation),这里的步骤已经过编排,各个步骤之间的转换是自动执行的,这样可以快速迭代实验,并更好地准备将整个流水线移至生产环境,在这个环境中算法研究员只进行模块内部的工作。\n- 构建可复用的生产环境流水线,组件的源代码模块化,实验环境模块化流水线可以直接在 staging 环境和 production 环境中使用。\n- 持续交付模型,生产环境中的机器学习流水线会向使用新数据进行训练的新模型持续交付预测服务。\n\n基于上述功能描述我们其实可以基于 kubeflow 的 `pipeline` 和 `kfserving` 功能轻松实现一个简单的 MLOps 流水线发布流程。不过,值得注意的是,DevOps 本身并不仅仅是一种技术,同时是一种工程文化,所以在实践落地中需要团队各方的协同分阶段的落地。这块可以参考[《MLOps: Continuous delivery and automation pipelines in machine learning》](https://cloud.google.com/architecture/mlops-continuous-delivery-and-automation-pipelines-in-machine-learning)和[《Hidden Technical Debt in Machine Learning Systems》](https://papers.nips.cc/paper/2015/file/86df7dcfd896fcaf2674f757a2463eba-Paper.pdf)\n\n\n# 参考文献\n- https://www.tensorflow.org/tutorials/quickstart/beginner\n- https://github.com/dexidp/dex\n- https://github.com/kubeflow/kfserving/tree/master/docs\n- https://argoproj.github.io/argo-workflows/workflow-executors/\n- https://github.com/shikanon/kubeflow-manifests\n- https://argoproj.github.io/argo-workflows/variables/\n- https://cloud.google.com/architecture/mlops-continuous-delivery-and-automation-pipelines-in-machine-learning"
},
{
"path": "docs/problems.md",
"content": "# 问题汇总 \n\n1. 没有 namespace, Experiments 报错。\n\n这种是 `profile` 设置问题。\n\n由于官方使用的是`user@example.com`创建命名空间`kubeflow-user-example-com`,这里在`patch`改成了`admin@example.com`\n,当命名空间已经创建后,就会报错,一般我们查看 profiles-deployment 日志,会看到:\n```bash\n2021-05-19T06:41:43.069Z INFO controllers.Profile namespace already exist, but not owned by profile creator admin@example.com {\"profile\": \"/kubeflow-user-example-com\"}\n2021-05-19T06:41:43.077Z DEBUG controller Successfully Reconciled {\"reconcilerGroup\": \"kubeflow.org\", \"reconcilerKind\": \"Profile\", \"controller\": \"profile\", \"name\": \"kubeflow-user-example-com\", \"namespace\": \"\"}\n```\n这时候只需要删除`profile`命名空间`kubeflow-user-example-com`,重新生产`profile`即可。\n```bash\nkubectl delete -f patch/auth.yaml\nkubectl delete ns kubeflow-user-example-com\nkubectl apply -f patch/auth.yaml\n```\n\n2. 运行 pipeline 报错,错误显示`xxx is not implemented in the k8sapi executor`\n\n这个错误是由于 kind 集群创建的 k8s 集群容器运行时用的containerd,而workflow默认的pipeline执行器是docker,因此有些特性不兼容。如果你的 k8s 集群是自己基于docker runtime 搭建的,可以将`patch/workflow-controller.yaml`的`containerRuntimeExecutor`改为`docker`,这样就不存在兼容性问题了。\n\n详细见:\n\nhttps://github.com/argoproj/argo-workflows/issues/2685#issuecomment-613632304\nhttps://argoproj.github.io/argo-workflows/workflow-executors/"
},
{
"path": "example/kitab-random-example.yaml",
"content": "apiVersion: \"kubeflow.org/v1beta1\"\nkind: Experiment\nmetadata:\n namespace: kubeflow-user-example-com\n name: random-example\nspec:\n objective:\n type: maximize\n goal: 0.99\n objectiveMetricName: Validation-accuracy\n additionalMetricNames:\n - Train-accuracy\n algorithm:\n algorithmName: random\n parallelTrialCount: 3\n maxTrialCount: 12\n maxFailedTrialCount: 3\n parameters:\n - name: lr\n parameterType: double\n feasibleSpace:\n min: \"0.01\"\n max: \"0.03\"\n - name: num-layers\n parameterType: int\n feasibleSpace:\n min: \"2\"\n max: \"5\"\n - name: optimizer\n parameterType: categorical\n feasibleSpace:\n list:\n - sgd\n - adam\n - ftrl\n trialTemplate:\n primaryContainerName: training-container\n trialParameters:\n - name: learningRate\n description: Learning rate for the training model\n reference: lr\n - name: numberLayers\n description: Number of training model layers\n reference: num-layers\n - name: optimizer\n description: Training model optimizer (sdg, adam or ftrl)\n reference: optimizer\n trialSpec:\n apiVersion: batch/v1\n kind: Job\n spec:\n template:\n spec:\n containers:\n - name: training-container\n image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727\n command:\n - \"python3\"\n - \"/opt/mxnet-mnist/mnist.py\"\n - \"--batch-size=64\"\n - \"--lr=${trialParameters.learningRate}\"\n - \"--num-layers=${trialParameters.numberLayers}\"\n - \"--optimizer=${trialParameters.optimizer}\"\n restartPolicy: Never"
},
{
"path": "install.py",
"content": "#!/bin/python\n#coding:utf-8\nimport os\nimport subprocess\nimport sys\nimport time\n\ndef install(path):\n for root,path,files in os.walk(path):\n files = sorted(files)\n for f in files:\n installfile = root + \"/\" + f\n cmd = \"kubectl apply -f {installfile}\".format(installfile=installfile)\n print(cmd)\n p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE)\n out = p.stdout.read()\n print(out)\n time.sleep(10)\n\n'''\n因为一些patch安装涉及到的一些修改需要重启pod,所以先删除再安装\n'''\ndef patchInstall(path):\n print(\"start to patch...\")\n for root,path,files in os.walk(path):\n files = sorted(files)\n for f in files:\n installfile = root + \"/\" + f\n cmd_delete = \"kubectl delete -f {installfile}\".format(installfile=installfile)\n p = subprocess.Popen(cmd_delete,shell=True,stdout=subprocess.PIPE)\n out = p.stdout.read()\n print(out)\n cmd_apply = \"kubectl apply -f {installfile}\".format(installfile=installfile)\n p = subprocess.Popen(cmd_apply,shell=True,stdout=subprocess.PIPE)\n out = p.stdout.read()\n print(out)\n\n# 安装文件\npath = \"./manifest1.3\"\ninstall(path)\n\n# 安装patch\npatchPath = \"./patch\"\npatchInstall(patchPath)\n"
},
{
"path": "kind/kind-config.yaml",
"content": "apiVersion: kind.x-k8s.io/v1alpha4\nkind: Cluster\nnodes:\n- role: control-plane\n extraPortMappings:\n - containerPort: 30000\n hostPort: 30000\n listenAddress: \"0.0.0.0\" # Optional, defaults to \"0.0.0.0\"\n protocol: tcp # Optional, defaults to tcp\n kubeadmConfigPatches:\n - |\n kind: InitConfiguration\n nodeRegistration:\n kubeletExtraArgs:\n node-labels: \"ingress-ready=true\"\n"
},
{
"path": "local-path/local-path-storage.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n name: local-path-storage\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: local-path-provisioner-service-account\n namespace: local-path-storage\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: local-path-provisioner-role\nrules:\n- apiGroups: [\"\"]\n resources: [\"nodes\", \"persistentvolumeclaims\"]\n verbs: [\"get\", \"list\", \"watch\"]\n- apiGroups: [\"\"]\n resources: [\"endpoints\", \"persistentvolumes\", \"pods\"]\n verbs: [\"*\"]\n- apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"create\", \"patch\"]\n- apiGroups: [\"storage.k8s.io\"]\n resources: [\"storageclasses\"]\n verbs: [\"get\", \"list\", \"watch\"]\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: local-path-provisioner-bind\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: local-path-provisioner-role\nsubjects:\n- kind: ServiceAccount\n name: local-path-provisioner-service-account\n namespace: local-path-storage\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: local-path-provisioner\n namespace: local-path-storage\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: local-path-provisioner\n template:\n metadata:\n labels:\n app: local-path-provisioner\n spec:\n serviceAccountName: local-path-provisioner-service-account\n containers:\n - name: local-path-provisioner\n image: rancher/local-path-provisioner:v0.0.11\n imagePullPolicy: IfNotPresent\n command:\n - local-path-provisioner\n - --debug\n - start\n - --config\n - /etc/config/config.json\n volumeMounts:\n - name: config-volume\n mountPath: /etc/config/\n env:\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n volumes:\n - name: config-volume\n configMap:\n name: local-path-config\n---\napiVersion: storage.k8s.io/v1\nkind: StorageClass\nmetadata:\n name: local-path\n annotations: #添加为默认StorageClass\n storageclass.beta.kubernetes.io/is-default-class: \"true\"\nprovisioner: rancher.io/local-path\nvolumeBindingMode: WaitForFirstConsumer\nreclaimPolicy: Delete\n---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: local-path-config\n namespace: local-path-storage\ndata:\n config.json: |-\n {\n \"nodePathMap\":[\n {\n \"node\":\"DEFAULT_PATH_FOR_NON_LISTED_NODES\",\n \"paths\":[\"/opt/local-path-provisioner\"]\n }\n ]\n }\n"
},
{
"path": "manifest1.3/001-cert-manager-cert-manager-kube-system-resources-base.yaml",
"content": "apiVersion: rbac.authorization.k8s.io/v1beta1\nkind: Role\nmetadata:\n labels:\n app: cainjector\n kustomize.component: cert-manager\n name: cert-manager-cainjector:leaderelection\n namespace: kube-system\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - create\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: Role\nmetadata:\n labels:\n app: cert-manager\n kustomize.component: cert-manager\n name: cert-manager:leaderelection\n namespace: kube-system\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - create\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: RoleBinding\nmetadata:\n labels:\n app: cainjector\n kustomize.component: cert-manager\n name: cert-manager-cainjector:leaderelection\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: cert-manager-cainjector:leaderelection\nsubjects:\n- apiGroup: \"\"\n kind: ServiceAccount\n name: cert-manager-cainjector\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: RoleBinding\nmetadata:\n labels:\n app: webhook\n kustomize.component: cert-manager\n name: cert-manager-webhook:webhook-authentication-reader\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: extension-apiserver-authentication-reader\nsubjects:\n- apiGroup: \"\"\n kind: ServiceAccount\n name: cert-manager-webhook\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: RoleBinding\nmetadata:\n labels:\n app: cert-manager\n kustomize.component: cert-manager\n name: cert-manager:leaderelection\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: cert-manager:leaderelection\nsubjects:\n- apiGroup: \"\"\n kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: v1\ndata:\n certManagerNamespace: cert-manager\nkind: ConfigMap\nmetadata:\n labels:\n kustomize.component: cert-manager\n name: cert-manager-kube-params-parameters\n namespace: kube-system\n"
},
{
"path": "manifest1.3/002-cert-manager-cert-manager-crds-base.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: certificaterequests.cert-manager.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .spec.issuerRef.name\n name: Issuer\n priority: 1\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].message\n name: Status\n priority: 1\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n name: Age\n type: date\n group: cert-manager.io\n names:\n kind: CertificateRequest\n listKind: CertificateRequestList\n plural: certificaterequests\n shortNames:\n - cr\n - crs\n singular: certificaterequest\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n description: CertificateRequest is a type to represent a Certificate Signing Request\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: CertificateRequestSpec defines the desired state of CertificateRequest\n properties:\n csr:\n description: Byte slice containing the PEM encoded CertificateSigningRequest\n format: byte\n type: string\n duration:\n description: Requested certificate default Duration\n type: string\n isCA:\n description: IsCA will mark the resulting certificate as valid for signing. This implies that the 'cert sign' usage is set\n type: boolean\n issuerRef:\n description: IssuerRef is a reference to the issuer for this CertificateRequest. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to 'cert-manager.io' if empty.\n properties:\n group:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - name\n type: object\n usages:\n description: Usages is the set of x509 actions that are enabled for a given key. Defaults are ('digital signature', 'key encipherment') if empty\n items:\n description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'\n enum:\n - signing\n - digital signature\n - content commitment\n - key encipherment\n - key agreement\n - data encipherment\n - cert sign\n - crl sign\n - encipher only\n - decipher only\n - any\n - server auth\n - client auth\n - code signing\n - email protection\n - s/mime\n - ipsec end system\n - ipsec tunnel\n - ipsec user\n - timestamping\n - ocsp signing\n - microsoft sgc\n - netscape sgc\n type: string\n type: array\n required:\n - issuerRef\n type: object\n status:\n description: CertificateStatus defines the observed state of CertificateRequest and resulting signed certificate.\n properties:\n ca:\n description: Byte slice containing the PEM encoded certificate authority of the signed certificate.\n format: byte\n type: string\n certificate:\n description: Byte slice containing a PEM encoded signed certificate resulting from the given certificate signing request.\n format: byte\n type: string\n conditions:\n items:\n description: CertificateRequestCondition contains condition information for a CertificateRequest.\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.\n format: date-time\n type: string\n message:\n description: Message is a human readable description of the details of the last transition, complementing reason.\n type: string\n reason:\n description: Reason is a brief machine readable explanation for the condition's last transition.\n type: string\n status:\n description: Status of the condition, one of ('True', 'False', 'Unknown').\n enum:\n - \"True\"\n - \"False\"\n - Unknown\n type: string\n type:\n description: Type of the condition, currently ('Ready').\n type: string\n required:\n - status\n - type\n type: object\n type: array\n failureTime:\n description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.\n format: date-time\n type: string\n type: object\n type: object\n version: v1alpha2\n versions:\n - name: v1alpha2\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: certificates.cert-manager.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .spec.secretName\n name: Secret\n type: string\n - JSONPath: .spec.issuerRef.name\n name: Issuer\n priority: 1\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].message\n name: Status\n priority: 1\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n name: Age\n type: date\n group: cert-manager.io\n names:\n kind: Certificate\n listKind: CertificateList\n plural: certificates\n shortNames:\n - cert\n - certs\n singular: certificate\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n description: Certificate is a type to represent a Certificate from ACME\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: CertificateSpec defines the desired state of Certificate. A valid Certificate requires at least one of a CommonName, DNSName, or URISAN to be valid.\n properties:\n commonName:\n description: CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs.\n type: string\n dnsNames:\n description: DNSNames is a list of subject alt names to be used on the Certificate.\n items:\n type: string\n type: array\n duration:\n description: Certificate default Duration\n type: string\n ipAddresses:\n description: IPAddresses is a list of IP addresses to be used on the Certificate\n items:\n type: string\n type: array\n isCA:\n description: IsCA will mark this Certificate as valid for signing. This implies that the 'cert sign' usage is set\n type: boolean\n issuerRef:\n description: IssuerRef is a reference to the issuer for this certificate. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the Certificate will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times.\n properties:\n group:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - name\n type: object\n keyAlgorithm:\n description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either \"rsa\" or \"ecdsa\" If KeyAlgorithm is specified and KeySize is not provided, key size of 256 will be used for \"ecdsa\" key algorithm and key size of 2048 will be used for \"rsa\" key algorithm.\n enum:\n - rsa\n - ecdsa\n type: string\n keyEncoding:\n description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are \"pkcs1\" and \"pkcs8\" standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then PKCS#1 will be used by default.\n enum:\n - pkcs1\n - pkcs8\n type: string\n keySize:\n description: KeySize is the key bit size of the corresponding private key for this certificate. If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is empty or is set to \"rsa\", and value must be one of (256, 384, 521) when KeyAlgorithm is set to \"ecdsa\".\n type: integer\n organization:\n description: Organization is the organization to be used on the Certificate\n items:\n type: string\n type: array\n renewBefore:\n description: Certificate renew before expiration duration\n type: string\n secretName:\n description: SecretName is the name of the secret resource to store this secret in\n type: string\n uriSANs:\n description: URISANs is a list of URI Subject Alternative Names to be set on this Certificate.\n items:\n type: string\n type: array\n usages:\n description: Usages is the set of x509 actions that are enabled for a given key. Defaults are ('digital signature', 'key encipherment') if empty\n items:\n description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'\n enum:\n - signing\n - digital signature\n - content commitment\n - key encipherment\n - key agreement\n - data encipherment\n - cert sign\n - crl sign\n - encipher only\n - decipher only\n - any\n - server auth\n - client auth\n - code signing\n - email protection\n - s/mime\n - ipsec end system\n - ipsec tunnel\n - ipsec user\n - timestamping\n - ocsp signing\n - microsoft sgc\n - netscape sgc\n type: string\n type: array\n required:\n - issuerRef\n - secretName\n type: object\n status:\n description: CertificateStatus defines the observed state of Certificate\n properties:\n conditions:\n items:\n description: CertificateCondition contains condition information for an Certificate.\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.\n format: date-time\n type: string\n message:\n description: Message is a human readable description of the details of the last transition, complementing reason.\n type: string\n reason:\n description: Reason is a brief machine readable explanation for the condition's last transition.\n type: string\n status:\n description: Status of the condition, one of ('True', 'False', 'Unknown').\n enum:\n - \"True\"\n - \"False\"\n - Unknown\n type: string\n type:\n description: Type of the condition, currently ('Ready').\n type: string\n required:\n - status\n - type\n type: object\n type: array\n lastFailureTime:\n format: date-time\n type: string\n notAfter:\n description: The expiration time of the certificate stored in the secret named by this resource in spec.secretName.\n format: date-time\n type: string\n type: object\n type: object\n version: v1alpha2\n versions:\n - name: v1alpha2\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n creationTimestamp: null\n name: challenges.acme.cert-manager.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.state\n name: State\n type: string\n - JSONPath: .spec.dnsName\n name: Domain\n type: string\n - JSONPath: .status.reason\n name: Reason\n priority: 1\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n name: Age\n type: date\n group: acme.cert-manager.io\n names:\n kind: Challenge\n listKind: ChallengeList\n plural: challenges\n singular: challenge\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n description: Challenge is a type to represent a Challenge request with an ACME server\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n properties:\n authzURL:\n description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.\n type: string\n dnsName:\n description: DNSName is the identifier that this challenge is for, e.g. example.com.\n type: string\n issuerRef:\n description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.\n properties:\n group:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - name\n type: object\n key:\n description: Key is the ACME challenge key for this challenge\n type: string\n solver:\n description: Solver contains the domain solving configuration that should be used to solve this challenge resource. Only **one** of 'config' or 'solver' may be specified, and if both are specified then no action will be performed on the Challenge resource.\n properties:\n dns01:\n properties:\n acmedns:\n description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers\n properties:\n accountSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n host:\n type: string\n required:\n - accountSecretRef\n - host\n type: object\n akamai:\n description: ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API\n properties:\n accessTokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n clientSecretSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n clientTokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n serviceConsumerDomain:\n type: string\n required:\n - accessTokenSecretRef\n - clientSecretSecretRef\n - clientTokenSecretRef\n - serviceConsumerDomain\n type: object\n azuredns:\n description: ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS\n properties:\n clientID:\n type: string\n clientSecretSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n environment:\n enum:\n - AzurePublicCloud\n - AzureChinaCloud\n - AzureGermanCloud\n - AzureUSGovernmentCloud\n type: string\n hostedZoneName:\n type: string\n resourceGroupName:\n type: string\n subscriptionID:\n type: string\n tenantID:\n type: string\n required:\n - clientID\n - clientSecretSecretRef\n - resourceGroupName\n - subscriptionID\n - tenantID\n type: object\n clouddns:\n description: ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS\n properties:\n project:\n type: string\n serviceAccountSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - project\n - serviceAccountSecretRef\n type: object\n cloudflare:\n description: ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare\n properties:\n apiKeySecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n email:\n type: string\n required:\n - apiKeySecretRef\n - email\n type: object\n cnameStrategy:\n description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.\n enum:\n - None\n - Follow\n type: string\n digitalocean:\n description: ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains\n properties:\n tokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - tokenSecretRef\n type: object\n rfc2136:\n description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS\n properties:\n nameserver:\n description: 'The IP address of the DNS supporting RFC2136. Required. Note: FQDN is not a valid value, only IP.'\n type: string\n tsigAlgorithm:\n description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when \"\"tsigSecretSecretRef\"\" and \"\"tsigKeyName\"\" are defined. Supported values are (case-insensitive): \"\"HMACMD5\"\" (default), \"\"HMACSHA1\"\", \"\"HMACSHA256\"\" or \"\"HMACSHA512\"\".'\n type: string\n tsigKeyName:\n description: The TSIG Key name configured in the DNS. If \"\"tsigSecretSecretRef\"\" is defined, this field is required.\n type: string\n tsigSecretSecretRef:\n description: The name of the secret containing the TSIG value. If \"\"tsigKeyName\"\" is defined, this field is required.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - nameserver\n type: object\n route53:\n description: ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS\n properties:\n accessKeyID:\n description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'\n type: string\n hostedZoneID:\n description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.\n type: string\n region:\n description: Always set the region when using AccessKeyID and SecretAccessKey\n type: string\n role:\n description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata\n type: string\n secretAccessKeySecretRef:\n description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - region\n type: object\n webhook:\n description: ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.\n properties:\n config:\n description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.\n x-kubernetes-preserve-unknown-fields: true\n groupName:\n description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.\n type: string\n solverName:\n description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.\n type: string\n required:\n - groupName\n - solverName\n type: object\n type: object\n http01:\n description: ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.\n properties:\n ingress:\n description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.\n properties:\n class:\n description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.\n type: string\n name:\n description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.\n type: string\n podTemplate:\n description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges\n properties:\n metadata:\n description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.\n type: object\n spec:\n description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'nodeSelector', 'affinity' and 'tolerations' fields are supported currently. All other fields will be ignored.\n properties:\n affinity:\n description: If specified, the pod's scheduling constraints\n properties:\n nodeAffinity:\n description: Describes node affinity scheduling rules for the pod.\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.\n items:\n description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).\n properties:\n preference:\n description: A node selector term, associated with the corresponding weight.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.\n properties:\n nodeSelectorTerms:\n description: Required. A list of node selector terms. The terms are ORed.\n items:\n description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n nodeSelector:\n additionalProperties:\n type: string\n description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'\n type: object\n tolerations:\n description: If specified, the pod's tolerations.\n items:\n description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .\n properties:\n effect:\n description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n type: string\n key:\n description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.\n type: string\n operator:\n description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n type: string\n tolerationSeconds:\n description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.\n format: int64\n type: integer\n value:\n description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.\n type: string\n type: object\n type: array\n type: object\n type: object\n serviceType:\n description: Optional service type for Kubernetes solver service\n type: string\n type: object\n type: object\n selector:\n description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver.\n properties:\n dnsNames:\n description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.\n items:\n type: string\n type: array\n dnsZones:\n description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.\n items:\n type: string\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.\n type: object\n type: object\n type: object\n token:\n description: Token is the ACME challenge token for this challenge.\n type: string\n type:\n description: Type is the type of ACME challenge this resource represents, e.g. \"dns01\" or \"http01\"\n type: string\n url:\n description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.\n type: string\n wildcard:\n description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'\n type: boolean\n required:\n - authzURL\n - dnsName\n - issuerRef\n - key\n - token\n - type\n - url\n type: object\n status:\n properties:\n presented:\n description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).\n type: boolean\n processing:\n description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.\n type: boolean\n reason:\n description: Reason contains human readable information on why the Challenge is in the current state.\n type: string\n state:\n description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.\n enum:\n - valid\n - ready\n - pending\n - processing\n - invalid\n - expired\n - errored\n type: string\n type: object\n required:\n - metadata\n type: object\n version: v1alpha2\n versions:\n - name: v1alpha2\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterissuers.cert-manager.io\nspec:\n group: cert-manager.io\n names:\n kind: ClusterIssuer\n listKind: ClusterIssuerList\n plural: clusterissuers\n singular: clusterissuer\n scope: Cluster\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.\n properties:\n acme:\n description: ACMEIssuer contains the specification for an ACME issuer\n properties:\n email:\n description: Email is the email for this account\n type: string\n privateKeySecretRef:\n description: PrivateKey is the name of a secret containing the private key for this user account.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n server:\n description: Server is the ACME server URL\n type: string\n skipTLSVerify:\n description: If true, skip verifying the ACME server TLS certificate\n type: boolean\n solvers:\n description: Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains.\n items:\n properties:\n dns01:\n properties:\n acmedns:\n description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers\n properties:\n accountSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n host:\n type: string\n required:\n - accountSecretRef\n - host\n type: object\n akamai:\n description: ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API\n properties:\n accessTokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n clientSecretSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n clientTokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n serviceConsumerDomain:\n type: string\n required:\n - accessTokenSecretRef\n - clientSecretSecretRef\n - clientTokenSecretRef\n - serviceConsumerDomain\n type: object\n azuredns:\n description: ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS\n properties:\n clientID:\n type: string\n clientSecretSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n environment:\n enum:\n - AzurePublicCloud\n - AzureChinaCloud\n - AzureGermanCloud\n - AzureUSGovernmentCloud\n type: string\n hostedZoneName:\n type: string\n resourceGroupName:\n type: string\n subscriptionID:\n type: string\n tenantID:\n type: string\n required:\n - clientID\n - clientSecretSecretRef\n - resourceGroupName\n - subscriptionID\n - tenantID\n type: object\n clouddns:\n description: ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS\n properties:\n project:\n type: string\n serviceAccountSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - project\n - serviceAccountSecretRef\n type: object\n cloudflare:\n description: ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare\n properties:\n apiKeySecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n email:\n type: string\n required:\n - apiKeySecretRef\n - email\n type: object\n cnameStrategy:\n description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.\n enum:\n - None\n - Follow\n type: string\n digitalocean:\n description: ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains\n properties:\n tokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - tokenSecretRef\n type: object\n rfc2136:\n description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS\n properties:\n nameserver:\n description: 'The IP address of the DNS supporting RFC2136. Required. Note: FQDN is not a valid value, only IP.'\n type: string\n tsigAlgorithm:\n description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when \"\"tsigSecretSecretRef\"\" and \"\"tsigKeyName\"\" are defined. Supported values are (case-insensitive): \"\"HMACMD5\"\" (default), \"\"HMACSHA1\"\", \"\"HMACSHA256\"\" or \"\"HMACSHA512\"\".'\n type: string\n tsigKeyName:\n description: The TSIG Key name configured in the DNS. If \"\"tsigSecretSecretRef\"\" is defined, this field is required.\n type: string\n tsigSecretSecretRef:\n description: The name of the secret containing the TSIG value. If \"\"tsigKeyName\"\" is defined, this field is required.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - nameserver\n type: object\n route53:\n description: ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS\n properties:\n accessKeyID:\n description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'\n type: string\n hostedZoneID:\n description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.\n type: string\n region:\n description: Always set the region when using AccessKeyID and SecretAccessKey\n type: string\n role:\n description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata\n type: string\n secretAccessKeySecretRef:\n description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - region\n type: object\n webhook:\n description: ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.\n properties:\n config:\n description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.\n x-kubernetes-preserve-unknown-fields: true\n groupName:\n description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.\n type: string\n solverName:\n description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.\n type: string\n required:\n - groupName\n - solverName\n type: object\n type: object\n http01:\n description: ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.\n properties:\n ingress:\n description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.\n properties:\n class:\n description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.\n type: string\n name:\n description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.\n type: string\n podTemplate:\n description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges\n properties:\n metadata:\n description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.\n type: object\n spec:\n description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'nodeSelector', 'affinity' and 'tolerations' fields are supported currently. All other fields will be ignored.\n properties:\n affinity:\n description: If specified, the pod's scheduling constraints\n properties:\n nodeAffinity:\n description: Describes node affinity scheduling rules for the pod.\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.\n items:\n description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).\n properties:\n preference:\n description: A node selector term, associated with the corresponding weight.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.\n properties:\n nodeSelectorTerms:\n description: Required. A list of node selector terms. The terms are ORed.\n items:\n description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n nodeSelector:\n additionalProperties:\n type: string\n description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'\n type: object\n tolerations:\n description: If specified, the pod's tolerations.\n items:\n description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .\n properties:\n effect:\n description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n type: string\n key:\n description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.\n type: string\n operator:\n description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n type: string\n tolerationSeconds:\n description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.\n format: int64\n type: integer\n value:\n description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.\n type: string\n type: object\n type: array\n type: object\n type: object\n serviceType:\n description: Optional service type for Kubernetes solver service\n type: string\n type: object\n type: object\n selector:\n description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver.\n properties:\n dnsNames:\n description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.\n items:\n type: string\n type: array\n dnsZones:\n description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.\n items:\n type: string\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.\n type: object\n type: object\n type: object\n type: array\n required:\n - privateKeySecretRef\n - server\n type: object\n ca:\n properties:\n secretName:\n description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.\n type: string\n required:\n - secretName\n type: object\n selfSigned:\n type: object\n vault:\n properties:\n auth:\n description: Vault authentication\n properties:\n appRole:\n description: This Secret contains a AppRole and Secret\n properties:\n path:\n description: Where the authentication path is mounted in Vault.\n type: string\n roleId:\n type: string\n secretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - path\n - roleId\n - secretRef\n type: object\n kubernetes:\n description: This contains a Role and Secret with a ServiceAccount token to authenticate with vault.\n properties:\n mountPath:\n description: The value here will be used as part of the path used when authenticating with vault, for example if you set a value of \"foo\", the path used will be \"/v1/auth/foo/login\". If unspecified, the default value \"kubernetes\" will be used.\n type: string\n role:\n description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.\n type: string\n secretRef:\n description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - role\n - secretRef\n type: object\n tokenSecretRef:\n description: This Secret contains the Vault token key\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n type: object\n caBundle:\n description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.\n format: byte\n type: string\n path:\n description: Vault URL path to the certificate role\n type: string\n server:\n description: Server is the vault connection address\n type: string\n required:\n - auth\n - path\n - server\n type: object\n venafi:\n description: VenafiIssuer describes issuer configuration details for Venafi Cloud.\n properties:\n cloud:\n description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.\n properties:\n apiTokenSecretRef:\n description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n url:\n description: URL is the base URL for Venafi Cloud\n type: string\n required:\n - apiTokenSecretRef\n - url\n type: object\n tpp:\n description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.\n properties:\n caBundle:\n description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.\n format: byte\n type: string\n credentialsRef:\n description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n url:\n description: URL is the base URL for the Venafi TPP instance\n type: string\n required:\n - credentialsRef\n - url\n type: object\n zone:\n description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.\n type: string\n required:\n - zone\n type: object\n type: object\n status:\n description: IssuerStatus contains status information about an Issuer\n properties:\n acme:\n properties:\n lastRegisteredEmail:\n description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer\n type: string\n uri:\n description: URI is the unique account identifier, which can also be used to retrieve account details from the CA\n type: string\n type: object\n conditions:\n items:\n description: IssuerCondition contains condition information for an Issuer.\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.\n format: date-time\n type: string\n message:\n description: Message is a human readable description of the details of the last transition, complementing reason.\n type: string\n reason:\n description: Reason is a brief machine readable explanation for the condition's last transition.\n type: string\n status:\n description: Status of the condition, one of ('True', 'False', 'Unknown').\n enum:\n - \"True\"\n - \"False\"\n - Unknown\n type: string\n type:\n description: Type of the condition, currently ('Ready').\n type: string\n required:\n - status\n - type\n type: object\n type: array\n type: object\n type: object\n version: v1alpha2\n versions:\n - name: v1alpha2\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: issuers.cert-manager.io\nspec:\n group: cert-manager.io\n names:\n kind: Issuer\n listKind: IssuerList\n plural: issuers\n singular: issuer\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.\n properties:\n acme:\n description: ACMEIssuer contains the specification for an ACME issuer\n properties:\n email:\n description: Email is the email for this account\n type: string\n privateKeySecretRef:\n description: PrivateKey is the name of a secret containing the private key for this user account.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n server:\n description: Server is the ACME server URL\n type: string\n skipTLSVerify:\n description: If true, skip verifying the ACME server TLS certificate\n type: boolean\n solvers:\n description: Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains.\n items:\n properties:\n dns01:\n properties:\n acmedns:\n description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers\n properties:\n accountSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n host:\n type: string\n required:\n - accountSecretRef\n - host\n type: object\n akamai:\n description: ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API\n properties:\n accessTokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n clientSecretSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n clientTokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n serviceConsumerDomain:\n type: string\n required:\n - accessTokenSecretRef\n - clientSecretSecretRef\n - clientTokenSecretRef\n - serviceConsumerDomain\n type: object\n azuredns:\n description: ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS\n properties:\n clientID:\n type: string\n clientSecretSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n environment:\n enum:\n - AzurePublicCloud\n - AzureChinaCloud\n - AzureGermanCloud\n - AzureUSGovernmentCloud\n type: string\n hostedZoneName:\n type: string\n resourceGroupName:\n type: string\n subscriptionID:\n type: string\n tenantID:\n type: string\n required:\n - clientID\n - clientSecretSecretRef\n - resourceGroupName\n - subscriptionID\n - tenantID\n type: object\n clouddns:\n description: ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS\n properties:\n project:\n type: string\n serviceAccountSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - project\n - serviceAccountSecretRef\n type: object\n cloudflare:\n description: ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare\n properties:\n apiKeySecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n email:\n type: string\n required:\n - apiKeySecretRef\n - email\n type: object\n cnameStrategy:\n description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.\n enum:\n - None\n - Follow\n type: string\n digitalocean:\n description: ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains\n properties:\n tokenSecretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - tokenSecretRef\n type: object\n rfc2136:\n description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS\n properties:\n nameserver:\n description: 'The IP address of the DNS supporting RFC2136. Required. Note: FQDN is not a valid value, only IP.'\n type: string\n tsigAlgorithm:\n description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when \"\"tsigSecretSecretRef\"\" and \"\"tsigKeyName\"\" are defined. Supported values are (case-insensitive): \"\"HMACMD5\"\" (default), \"\"HMACSHA1\"\", \"\"HMACSHA256\"\" or \"\"HMACSHA512\"\".'\n type: string\n tsigKeyName:\n description: The TSIG Key name configured in the DNS. If \"\"tsigSecretSecretRef\"\" is defined, this field is required.\n type: string\n tsigSecretSecretRef:\n description: The name of the secret containing the TSIG value. If \"\"tsigKeyName\"\" is defined, this field is required.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - nameserver\n type: object\n route53:\n description: ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS\n properties:\n accessKeyID:\n description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'\n type: string\n hostedZoneID:\n description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.\n type: string\n region:\n description: Always set the region when using AccessKeyID and SecretAccessKey\n type: string\n role:\n description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata\n type: string\n secretAccessKeySecretRef:\n description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - region\n type: object\n webhook:\n description: ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.\n properties:\n config:\n description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.\n x-kubernetes-preserve-unknown-fields: true\n groupName:\n description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.\n type: string\n solverName:\n description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.\n type: string\n required:\n - groupName\n - solverName\n type: object\n type: object\n http01:\n description: ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.\n properties:\n ingress:\n description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.\n properties:\n class:\n description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.\n type: string\n name:\n description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.\n type: string\n podTemplate:\n description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges\n properties:\n metadata:\n description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.\n type: object\n spec:\n description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'nodeSelector', 'affinity' and 'tolerations' fields are supported currently. All other fields will be ignored.\n properties:\n affinity:\n description: If specified, the pod's scheduling constraints\n properties:\n nodeAffinity:\n description: Describes node affinity scheduling rules for the pod.\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.\n items:\n description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).\n properties:\n preference:\n description: A node selector term, associated with the corresponding weight.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.\n properties:\n nodeSelectorTerms:\n description: Required. A list of node selector terms. The terms are ORed.\n items:\n description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n nodeSelector:\n additionalProperties:\n type: string\n description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'\n type: object\n tolerations:\n description: If specified, the pod's tolerations.\n items:\n description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .\n properties:\n effect:\n description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n type: string\n key:\n description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.\n type: string\n operator:\n description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n type: string\n tolerationSeconds:\n description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.\n format: int64\n type: integer\n value:\n description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.\n type: string\n type: object\n type: array\n type: object\n type: object\n serviceType:\n description: Optional service type for Kubernetes solver service\n type: string\n type: object\n type: object\n selector:\n description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver.\n properties:\n dnsNames:\n description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.\n items:\n type: string\n type: array\n dnsZones:\n description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.\n items:\n type: string\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.\n type: object\n type: object\n type: object\n type: array\n required:\n - privateKeySecretRef\n - server\n type: object\n ca:\n properties:\n secretName:\n description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.\n type: string\n required:\n - secretName\n type: object\n selfSigned:\n type: object\n vault:\n properties:\n auth:\n description: Vault authentication\n properties:\n appRole:\n description: This Secret contains a AppRole and Secret\n properties:\n path:\n description: Where the authentication path is mounted in Vault.\n type: string\n roleId:\n type: string\n secretRef:\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - path\n - roleId\n - secretRef\n type: object\n kubernetes:\n description: This contains a Role and Secret with a ServiceAccount token to authenticate with vault.\n properties:\n mountPath:\n description: The value here will be used as part of the path used when authenticating with vault, for example if you set a value of \"foo\", the path used will be \"/v1/auth/foo/login\". If unspecified, the default value \"kubernetes\" will be used.\n type: string\n role:\n description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.\n type: string\n secretRef:\n description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n required:\n - role\n - secretRef\n type: object\n tokenSecretRef:\n description: This Secret contains the Vault token key\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n type: object\n caBundle:\n description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.\n format: byte\n type: string\n path:\n description: Vault URL path to the certificate role\n type: string\n server:\n description: Server is the vault connection address\n type: string\n required:\n - auth\n - path\n - server\n type: object\n venafi:\n description: VenafiIssuer describes issuer configuration details for Venafi Cloud.\n properties:\n cloud:\n description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.\n properties:\n apiTokenSecretRef:\n description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n url:\n description: URL is the base URL for Venafi Cloud\n type: string\n required:\n - apiTokenSecretRef\n - url\n type: object\n tpp:\n description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.\n properties:\n caBundle:\n description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.\n format: byte\n type: string\n credentialsRef:\n description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n required:\n - name\n type: object\n url:\n description: URL is the base URL for the Venafi TPP instance\n type: string\n required:\n - credentialsRef\n - url\n type: object\n zone:\n description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.\n type: string\n required:\n - zone\n type: object\n type: object\n status:\n description: IssuerStatus contains status information about an Issuer\n properties:\n acme:\n properties:\n lastRegisteredEmail:\n description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer\n type: string\n uri:\n description: URI is the unique account identifier, which can also be used to retrieve account details from the CA\n type: string\n type: object\n conditions:\n items:\n description: IssuerCondition contains condition information for an Issuer.\n properties:\n lastTransitionTime:\n description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.\n format: date-time\n type: string\n message:\n description: Message is a human readable description of the details of the last transition, complementing reason.\n type: string\n reason:\n description: Reason is a brief machine readable explanation for the condition's last transition.\n type: string\n status:\n description: Status of the condition, one of ('True', 'False', 'Unknown').\n enum:\n - \"True\"\n - \"False\"\n - Unknown\n type: string\n type:\n description: Type of the condition, currently ('Ready').\n type: string\n required:\n - status\n - type\n type: object\n type: array\n type: object\n type: object\n version: v1alpha2\n versions:\n - name: v1alpha2\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: orders.acme.cert-manager.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.state\n name: State\n type: string\n - JSONPath: .spec.issuerRef.name\n name: Issuer\n priority: 1\n type: string\n - JSONPath: .status.reason\n name: Reason\n priority: 1\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n name: Age\n type: date\n group: acme.cert-manager.io\n names:\n kind: Order\n listKind: OrderList\n plural: orders\n singular: order\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n description: Order is a type to represent an Order with an ACME server\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n properties:\n commonName:\n description: CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR.\n type: string\n csr:\n description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.\n format: byte\n type: string\n dnsNames:\n description: DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR.\n items:\n type: string\n type: array\n issuerRef:\n description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.\n properties:\n group:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - name\n type: object\n required:\n - csr\n - issuerRef\n type: object\n status:\n properties:\n authorizations:\n description: Authorizations contains data returned from the ACME server on what authoriations must be completed in order to validate the DNS names specified on the Order.\n items:\n description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.\n properties:\n challenges:\n description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.\n items:\n description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.\n properties:\n token:\n description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.\n type: string\n type:\n description: Type is the type of challenge being offered, e.g. http-01, dns-01\n type: string\n url:\n description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.\n type: string\n required:\n - token\n - type\n - url\n type: object\n type: array\n identifier:\n description: Identifier is the DNS name to be validated as part of this authorization\n type: string\n url:\n description: URL is the URL of the Authorization that must be completed\n type: string\n wildcard:\n description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.\n type: boolean\n required:\n - url\n type: object\n type: array\n certificate:\n description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.\n format: byte\n type: string\n failureTime:\n description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.\n format: date-time\n type: string\n finalizeURL:\n description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.\n type: string\n reason:\n description: Reason optionally provides more information about a why the order is in the current state.\n type: string\n state:\n description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'\n enum:\n - valid\n - ready\n - pending\n - processing\n - invalid\n - expired\n - errored\n type: string\n url:\n description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.\n type: string\n type: object\n required:\n - metadata\n type: object\n version: v1alpha2\n versions:\n - name: v1alpha2\n served: true\n storage: true\n"
},
{
"path": "manifest1.3/003-cert-manager-overlays-self-signed.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n labels:\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: cainjector\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-cainjector\n namespace: cert-manager\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n name: cert-manager-edit\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n - certificaterequests\n - issuers\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: cert-manager-view\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n - certificaterequests\n - issuers\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook:webhook-requester\nrules:\n- apiGroups:\n - admission.cert-manager.io\n resources:\n - certificates\n - certificaterequests\n - issuers\n - clusterissuers\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cainjector\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-cainjector\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - get\n - create\n - update\n - patch\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - validatingwebhookconfigurations\n - mutatingwebhookconfigurations\n verbs:\n - get\n - list\n - watch\n - update\n- apiGroups:\n - apiregistration.k8s.io\n resources:\n - apiservices\n verbs:\n - get\n - list\n - watch\n - update\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - get\n - list\n - watch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-certificates\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n - certificates/status\n - certificaterequests\n - certificaterequests/status\n verbs:\n - update\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n - certificaterequests\n - clusterissuers\n - issuers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates/finalizers\n verbs:\n - update\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - orders\n verbs:\n - create\n - delete\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-challenges\nrules:\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - challenges\n - challenges/status\n verbs:\n - update\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - challenges\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - cert-manager.io\n resources:\n - issuers\n - clusterissuers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - \"\"\n resources:\n - pods\n - services\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n- apiGroups:\n - extensions\n - networking.k8s.io/v1\n resources:\n - ingresses\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - update\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - challenges/finalizers\n verbs:\n - update\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-clusterissuers\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - clusterissuers\n - clusterissuers/status\n verbs:\n - update\n- apiGroups:\n - cert-manager.io\n resources:\n - clusterissuers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-ingress-shim\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n - certificaterequests\n verbs:\n - create\n - update\n - delete\n- apiGroups:\n - cert-manager.io\n resources:\n - certificates\n - certificaterequests\n - issuers\n - clusterissuers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - networking.k8s.io/v1\n resources:\n - ingresses\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - networking.k8s.io/v1\n resources:\n - ingresses/finalizers\n verbs:\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-issuers\nrules:\n- apiGroups:\n - cert-manager.io\n resources:\n - issuers\n - issuers/status\n verbs:\n - update\n- apiGroups:\n - cert-manager.io\n resources:\n - issuers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-orders\nrules:\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - orders\n - orders/status\n verbs:\n - update\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - orders\n - challenges\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - cert-manager.io\n resources:\n - clusterissuers\n - issuers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - challenges\n verbs:\n - create\n - delete\n- apiGroups:\n - acme.cert-manager.io\n resources:\n - orders/finalizers\n verbs:\n - update\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cainjector\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-cainjector\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-cainjector\nsubjects:\n- kind: ServiceAccount\n name: cert-manager-cainjector\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-certificates\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-controller-certificates\nsubjects:\n- kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-challenges\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-controller-challenges\nsubjects:\n- kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-clusterissuers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-controller-clusterissuers\nsubjects:\n- kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-ingress-shim\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-controller-ingress-shim\nsubjects:\n- kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-issuers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-controller-issuers\nsubjects:\n- kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-controller-orders\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cert-manager-controller-orders\nsubjects:\n- kind: ServiceAccount\n name: cert-manager\n namespace: cert-manager\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook:auth-delegator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: system:auth-delegator\nsubjects:\n- apiGroup: \"\"\n kind: ServiceAccount\n name: cert-manager-webhook\n namespace: cert-manager\n---\napiVersion: v1\ndata:\n namespace: cert-manager\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-parameters\n namespace: cert-manager\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager\n namespace: cert-manager\nspec:\n ports:\n - port: 9402\n protocol: TCP\n targetPort: 9402\n selector:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n type: ClusterIP\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook\n namespace: cert-manager\nspec:\n ports:\n - name: https\n port: 443\n targetPort: 6443\n selector:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager\n namespace: cert-manager\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n template:\n metadata:\n annotations:\n prometheus.io/path: /metrics\n prometheus.io/port: \"9402\"\n prometheus.io/scrape: \"true\"\n labels:\n app: cert-manager\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n spec:\n containers:\n - args:\n - --v=2\n - --cluster-resource-namespace=$(POD_NAMESPACE)\n - --leader-election-namespace=kube-system\n - --webhook-namespace=$(POD_NAMESPACE)\n - --webhook-ca-secret=cert-manager-webhook-ca\n - --webhook-serving-secret=cert-manager-webhook-tls\n - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc\n env:\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/jetstack-cert-manager-controller:v0.11.0-f127a\n imagePullPolicy: IfNotPresent\n name: cert-manager\n ports:\n - containerPort: 9402\n resources:\n requests:\n cpu: 10m\n memory: 32Mi\n serviceAccountName: cert-manager\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cainjector\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-cainjector\n namespace: cert-manager\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: cainjector\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n template:\n metadata:\n annotations: null\n labels:\n app: cainjector\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n spec:\n containers:\n - args:\n - --v=2\n - --leader-election-namespace=kube-system\n env:\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/jetstack-cert-manager-cainjector:v0.11.0-26f79\n imagePullPolicy: IfNotPresent\n name: cainjector\n resources: {}\n serviceAccountName: cert-manager-cainjector\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook\n namespace: cert-manager\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n template:\n metadata:\n annotations: null\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n spec:\n containers:\n - args:\n - --v=2\n - --secure-port=6443\n - --tls-cert-file=/certs/tls.crt\n - --tls-private-key-file=/certs/tls.key\n env:\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/jetstack-cert-manager-webhook:v0.11.0-18a2f\n imagePullPolicy: IfNotPresent\n name: cert-manager\n resources: {}\n volumeMounts:\n - mountPath: /certs\n name: certs\n serviceAccountName: cert-manager-webhook\n volumes:\n - name: certs\n secret:\n secretName: cert-manager-webhook-tls\n---\napiVersion: apiregistration.k8s.io/v1beta1\nkind: APIService\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: v1beta1.webhook.cert-manager.io\nspec:\n group: webhook.cert-manager.io\n groupPriorityMinimum: 1000\n service:\n name: cert-manager-webhook\n namespace: cert-manager\n version: v1beta1\n versionPriority: 15\n---\napiVersion: cert-manager.io/v1alpha2\nkind: ClusterIssuer\nmetadata:\n labels:\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: kubeflow-self-signing-issuer\nspec:\n selfSigned: {}\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-apiserver-ca: \"true\"\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook\nwebhooks:\n- clientConfig:\n caBundle: \"\"\n service:\n name: kubernetes\n namespace: default\n path: /apis/webhook.cert-manager.io/v1beta1/mutations\n failurePolicy: Fail\n name: webhook.cert-manager.io\n rules:\n - apiGroups:\n - cert-manager.io\n apiVersions:\n - v1alpha2\n operations:\n - CREATE\n - UPDATE\n resources:\n - certificates\n - issuers\n - clusterissuers\n - orders\n - challenges\n - certificaterequests\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-apiserver-ca: \"true\"\n labels:\n app: webhook\n app.kubernetes.io/component: cert-manager\n app.kubernetes.io/name: cert-manager\n kustomize.component: cert-manager\n name: cert-manager-webhook\nwebhooks:\n- clientConfig:\n caBundle: \"\"\n service:\n name: kubernetes\n namespace: default\n path: /apis/webhook.cert-manager.io/v1beta1/validations\n failurePolicy: Fail\n name: webhook.certmanager.k8s.io\n rules:\n - apiGroups:\n - cert-manager.io\n apiVersions:\n - v1alpha2\n operations:\n - CREATE\n - UPDATE\n resources:\n - certificates\n - issuers\n - clusterissuers\n - certificaterequests\n sideEffects: None\n"
},
{
"path": "manifest1.3/004-istio-1-9-0-istio-crds-base.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n istio: security\n release: istio\n name: authorizationpolicies.security.istio.io\nspec:\n group: security.istio.io\n names:\n categories:\n - istio-io\n - security-istio-io\n kind: AuthorizationPolicy\n listKind: AuthorizationPolicyList\n plural: authorizationpolicies\n singular: authorizationpolicy\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html'\n oneOf:\n - not:\n anyOf:\n - required:\n - provider\n - required:\n - provider\n properties:\n action:\n description: Optional.\n enum:\n - ALLOW\n - DENY\n - AUDIT\n - CUSTOM\n type: string\n provider:\n description: Specifies detailed configuration of the CUSTOM action.\n properties:\n name:\n description: Specifies the name of the extension provider.\n format: string\n type: string\n type: object\n rules:\n description: Optional.\n items:\n properties:\n from:\n description: Optional.\n items:\n properties:\n source:\n description: Source specifies the source of a request.\n properties:\n ipBlocks:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n namespaces:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notIpBlocks:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notNamespaces:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notPrincipals:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notRemoteIpBlocks:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notRequestPrincipals:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n principals:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n remoteIpBlocks:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n requestPrincipals:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: array\n to:\n description: Optional.\n items:\n properties:\n operation:\n description: Operation specifies the operation of a request.\n properties:\n hosts:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n methods:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notHosts:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notMethods:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notPaths:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n notPorts:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n paths:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n ports:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: array\n when:\n description: Optional.\n items:\n properties:\n key:\n description: The name of an Istio attribute.\n format: string\n type: string\n notValues:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n values:\n description: Optional.\n items:\n format: string\n type: string\n type: array\n type: object\n type: array\n type: object\n type: array\n selector:\n description: Optional.\n properties:\n matchLabels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1beta1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: destinationrules.networking.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.host\n description: The name of a service from the service registry\n name: Host\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: DestinationRule\n listKind: DestinationRuleList\n plural: destinationrules\n shortNames:\n - dr\n singular: destinationrule\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'\n properties:\n exportTo:\n description: A list of namespaces to which this destination rule is exported.\n items:\n format: string\n type: string\n type: array\n host:\n description: The name of a service from the service registry.\n format: string\n type: string\n subsets:\n items:\n properties:\n labels:\n additionalProperties:\n format: string\n type: string\n type: object\n name:\n description: Name of the subset.\n format: string\n type: string\n trafficPolicy:\n description: Traffic policies that apply to this subset.\n properties:\n connectionPool:\n properties:\n http:\n description: HTTP connection pool settings.\n properties:\n h2UpgradePolicy:\n description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.\n enum:\n - DEFAULT\n - DO_NOT_UPGRADE\n - UPGRADE\n type: string\n http1MaxPendingRequests:\n description: Maximum number of pending HTTP requests to a destination.\n format: int32\n type: integer\n http2MaxRequests:\n description: Maximum number of requests to a backend.\n format: int32\n type: integer\n idleTimeout:\n description: The idle timeout for upstream connection pool connections.\n type: string\n maxRequestsPerConnection:\n description: Maximum number of requests per connection to a backend.\n format: int32\n type: integer\n maxRetries:\n format: int32\n type: integer\n useClientProtocol:\n description: If set to true, client protocol will be preserved while initiating connection to backend.\n type: boolean\n type: object\n tcp:\n description: Settings common to both HTTP and TCP upstream connections.\n properties:\n connectTimeout:\n description: TCP connection timeout.\n type: string\n maxConnections:\n description: Maximum number of HTTP1 /TCP connections to a destination host.\n format: int32\n type: integer\n tcpKeepalive:\n description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.\n properties:\n interval:\n description: The time duration between keep-alive probes.\n type: string\n probes:\n type: integer\n time:\n type: string\n type: object\n type: object\n type: object\n loadBalancer:\n description: Settings controlling the load balancer algorithms.\n oneOf:\n - not:\n anyOf:\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n properties:\n consistentHash:\n properties:\n httpCookie:\n description: Hash based on HTTP cookie.\n properties:\n name:\n description: Name of the cookie.\n format: string\n type: string\n path:\n description: Path to set for the cookie.\n format: string\n type: string\n ttl:\n description: Lifetime of the cookie.\n type: string\n type: object\n httpHeaderName:\n description: Hash based on a specific HTTP header.\n format: string\n type: string\n httpQueryParameterName:\n description: Hash based on a specific HTTP query parameter.\n format: string\n type: string\n minimumRingSize:\n type: integer\n useSourceIp:\n description: Hash based on the source IP address.\n type: boolean\n type: object\n localityLbSetting:\n properties:\n distribute:\n description: 'Optional: only one of distribute or failover can be set.'\n items:\n properties:\n from:\n description: Originating locality, '/' separated, e.g.\n format: string\n type: string\n to:\n additionalProperties:\n type: integer\n description: Map of upstream localities to traffic distribution weights.\n type: object\n type: object\n type: array\n enabled:\n description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.\n nullable: true\n type: boolean\n failover:\n description: 'Optional: only failover or distribute can be set.'\n items:\n properties:\n from:\n description: Originating region.\n format: string\n type: string\n to:\n format: string\n type: string\n type: object\n type: array\n type: object\n simple:\n enum:\n - ROUND_ROBIN\n - LEAST_CONN\n - RANDOM\n - PASSTHROUGH\n type: string\n type: object\n outlierDetection:\n properties:\n baseEjectionTime:\n description: Minimum ejection duration.\n type: string\n consecutive5xxErrors:\n description: Number of 5xx errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n consecutiveErrors:\n format: int32\n type: integer\n consecutiveGatewayErrors:\n description: Number of gateway errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n interval:\n description: Time interval between ejection sweep analysis.\n type: string\n maxEjectionPercent:\n format: int32\n type: integer\n minHealthPercent:\n format: int32\n type: integer\n type: object\n portLevelSettings:\n description: Traffic policies specific to individual ports.\n items:\n properties:\n connectionPool:\n properties:\n http:\n description: HTTP connection pool settings.\n properties:\n h2UpgradePolicy:\n description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.\n enum:\n - DEFAULT\n - DO_NOT_UPGRADE\n - UPGRADE\n type: string\n http1MaxPendingRequests:\n description: Maximum number of pending HTTP requests to a destination.\n format: int32\n type: integer\n http2MaxRequests:\n description: Maximum number of requests to a backend.\n format: int32\n type: integer\n idleTimeout:\n description: The idle timeout for upstream connection pool connections.\n type: string\n maxRequestsPerConnection:\n description: Maximum number of requests per connection to a backend.\n format: int32\n type: integer\n maxRetries:\n format: int32\n type: integer\n useClientProtocol:\n description: If set to true, client protocol will be preserved while initiating connection to backend.\n type: boolean\n type: object\n tcp:\n description: Settings common to both HTTP and TCP upstream connections.\n properties:\n connectTimeout:\n description: TCP connection timeout.\n type: string\n maxConnections:\n description: Maximum number of HTTP1 /TCP connections to a destination host.\n format: int32\n type: integer\n tcpKeepalive:\n description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.\n properties:\n interval:\n description: The time duration between keep-alive probes.\n type: string\n probes:\n type: integer\n time:\n type: string\n type: object\n type: object\n type: object\n loadBalancer:\n description: Settings controlling the load balancer algorithms.\n oneOf:\n - not:\n anyOf:\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n properties:\n consistentHash:\n properties:\n httpCookie:\n description: Hash based on HTTP cookie.\n properties:\n name:\n description: Name of the cookie.\n format: string\n type: string\n path:\n description: Path to set for the cookie.\n format: string\n type: string\n ttl:\n description: Lifetime of the cookie.\n type: string\n type: object\n httpHeaderName:\n description: Hash based on a specific HTTP header.\n format: string\n type: string\n httpQueryParameterName:\n description: Hash based on a specific HTTP query parameter.\n format: string\n type: string\n minimumRingSize:\n type: integer\n useSourceIp:\n description: Hash based on the source IP address.\n type: boolean\n type: object\n localityLbSetting:\n properties:\n distribute:\n description: 'Optional: only one of distribute or failover can be set.'\n items:\n properties:\n from:\n description: Originating locality, '/' separated, e.g.\n format: string\n type: string\n to:\n additionalProperties:\n type: integer\n description: Map of upstream localities to traffic distribution weights.\n type: object\n type: object\n type: array\n enabled:\n description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.\n nullable: true\n type: boolean\n failover:\n description: 'Optional: only failover or distribute can be set.'\n items:\n properties:\n from:\n description: Originating region.\n format: string\n type: string\n to:\n format: string\n type: string\n type: object\n type: array\n type: object\n simple:\n enum:\n - ROUND_ROBIN\n - LEAST_CONN\n - RANDOM\n - PASSTHROUGH\n type: string\n type: object\n outlierDetection:\n properties:\n baseEjectionTime:\n description: Minimum ejection duration.\n type: string\n consecutive5xxErrors:\n description: Number of 5xx errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n consecutiveErrors:\n format: int32\n type: integer\n consecutiveGatewayErrors:\n description: Number of gateway errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n interval:\n description: Time interval between ejection sweep analysis.\n type: string\n maxEjectionPercent:\n format: int32\n type: integer\n minHealthPercent:\n format: int32\n type: integer\n type: object\n port:\n properties:\n number:\n type: integer\n type: object\n tls:\n description: TLS related settings for connections to the upstream service.\n properties:\n caCertificates:\n format: string\n type: string\n clientCertificate:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n credentialName:\n format: string\n type: string\n mode:\n enum:\n - DISABLE\n - SIMPLE\n - MUTUAL\n - ISTIO_MUTUAL\n type: string\n privateKey:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n sni:\n description: SNI string to present to the server during TLS handshake.\n format: string\n type: string\n subjectAltNames:\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: array\n tls:\n description: TLS related settings for connections to the upstream service.\n properties:\n caCertificates:\n format: string\n type: string\n clientCertificate:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n credentialName:\n format: string\n type: string\n mode:\n enum:\n - DISABLE\n - SIMPLE\n - MUTUAL\n - ISTIO_MUTUAL\n type: string\n privateKey:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n sni:\n description: SNI string to present to the server during TLS handshake.\n format: string\n type: string\n subjectAltNames:\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: object\n type: array\n trafficPolicy:\n properties:\n connectionPool:\n properties:\n http:\n description: HTTP connection pool settings.\n properties:\n h2UpgradePolicy:\n description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.\n enum:\n - DEFAULT\n - DO_NOT_UPGRADE\n - UPGRADE\n type: string\n http1MaxPendingRequests:\n description: Maximum number of pending HTTP requests to a destination.\n format: int32\n type: integer\n http2MaxRequests:\n description: Maximum number of requests to a backend.\n format: int32\n type: integer\n idleTimeout:\n description: The idle timeout for upstream connection pool connections.\n type: string\n maxRequestsPerConnection:\n description: Maximum number of requests per connection to a backend.\n format: int32\n type: integer\n maxRetries:\n format: int32\n type: integer\n useClientProtocol:\n description: If set to true, client protocol will be preserved while initiating connection to backend.\n type: boolean\n type: object\n tcp:\n description: Settings common to both HTTP and TCP upstream connections.\n properties:\n connectTimeout:\n description: TCP connection timeout.\n type: string\n maxConnections:\n description: Maximum number of HTTP1 /TCP connections to a destination host.\n format: int32\n type: integer\n tcpKeepalive:\n description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.\n properties:\n interval:\n description: The time duration between keep-alive probes.\n type: string\n probes:\n type: integer\n time:\n type: string\n type: object\n type: object\n type: object\n loadBalancer:\n description: Settings controlling the load balancer algorithms.\n oneOf:\n - not:\n anyOf:\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n properties:\n consistentHash:\n properties:\n httpCookie:\n description: Hash based on HTTP cookie.\n properties:\n name:\n description: Name of the cookie.\n format: string\n type: string\n path:\n description: Path to set for the cookie.\n format: string\n type: string\n ttl:\n description: Lifetime of the cookie.\n type: string\n type: object\n httpHeaderName:\n description: Hash based on a specific HTTP header.\n format: string\n type: string\n httpQueryParameterName:\n description: Hash based on a specific HTTP query parameter.\n format: string\n type: string\n minimumRingSize:\n type: integer\n useSourceIp:\n description: Hash based on the source IP address.\n type: boolean\n type: object\n localityLbSetting:\n properties:\n distribute:\n description: 'Optional: only one of distribute or failover can be set.'\n items:\n properties:\n from:\n description: Originating locality, '/' separated, e.g.\n format: string\n type: string\n to:\n additionalProperties:\n type: integer\n description: Map of upstream localities to traffic distribution weights.\n type: object\n type: object\n type: array\n enabled:\n description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.\n nullable: true\n type: boolean\n failover:\n description: 'Optional: only failover or distribute can be set.'\n items:\n properties:\n from:\n description: Originating region.\n format: string\n type: string\n to:\n format: string\n type: string\n type: object\n type: array\n type: object\n simple:\n enum:\n - ROUND_ROBIN\n - LEAST_CONN\n - RANDOM\n - PASSTHROUGH\n type: string\n type: object\n outlierDetection:\n properties:\n baseEjectionTime:\n description: Minimum ejection duration.\n type: string\n consecutive5xxErrors:\n description: Number of 5xx errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n consecutiveErrors:\n format: int32\n type: integer\n consecutiveGatewayErrors:\n description: Number of gateway errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n interval:\n description: Time interval between ejection sweep analysis.\n type: string\n maxEjectionPercent:\n format: int32\n type: integer\n minHealthPercent:\n format: int32\n type: integer\n type: object\n portLevelSettings:\n description: Traffic policies specific to individual ports.\n items:\n properties:\n connectionPool:\n properties:\n http:\n description: HTTP connection pool settings.\n properties:\n h2UpgradePolicy:\n description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.\n enum:\n - DEFAULT\n - DO_NOT_UPGRADE\n - UPGRADE\n type: string\n http1MaxPendingRequests:\n description: Maximum number of pending HTTP requests to a destination.\n format: int32\n type: integer\n http2MaxRequests:\n description: Maximum number of requests to a backend.\n format: int32\n type: integer\n idleTimeout:\n description: The idle timeout for upstream connection pool connections.\n type: string\n maxRequestsPerConnection:\n description: Maximum number of requests per connection to a backend.\n format: int32\n type: integer\n maxRetries:\n format: int32\n type: integer\n useClientProtocol:\n description: If set to true, client protocol will be preserved while initiating connection to backend.\n type: boolean\n type: object\n tcp:\n description: Settings common to both HTTP and TCP upstream connections.\n properties:\n connectTimeout:\n description: TCP connection timeout.\n type: string\n maxConnections:\n description: Maximum number of HTTP1 /TCP connections to a destination host.\n format: int32\n type: integer\n tcpKeepalive:\n description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.\n properties:\n interval:\n description: The time duration between keep-alive probes.\n type: string\n probes:\n type: integer\n time:\n type: string\n type: object\n type: object\n type: object\n loadBalancer:\n description: Settings controlling the load balancer algorithms.\n oneOf:\n - not:\n anyOf:\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n - required:\n - simple\n - properties:\n consistentHash:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n - required:\n - httpHeaderName\n - required:\n - httpCookie\n - required:\n - useSourceIp\n - required:\n - httpQueryParameterName\n required:\n - consistentHash\n properties:\n consistentHash:\n properties:\n httpCookie:\n description: Hash based on HTTP cookie.\n properties:\n name:\n description: Name of the cookie.\n format: string\n type: string\n path:\n description: Path to set for the cookie.\n format: string\n type: string\n ttl:\n description: Lifetime of the cookie.\n type: string\n type: object\n httpHeaderName:\n description: Hash based on a specific HTTP header.\n format: string\n type: string\n httpQueryParameterName:\n description: Hash based on a specific HTTP query parameter.\n format: string\n type: string\n minimumRingSize:\n type: integer\n useSourceIp:\n description: Hash based on the source IP address.\n type: boolean\n type: object\n localityLbSetting:\n properties:\n distribute:\n description: 'Optional: only one of distribute or failover can be set.'\n items:\n properties:\n from:\n description: Originating locality, '/' separated, e.g.\n format: string\n type: string\n to:\n additionalProperties:\n type: integer\n description: Map of upstream localities to traffic distribution weights.\n type: object\n type: object\n type: array\n enabled:\n description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.\n nullable: true\n type: boolean\n failover:\n description: 'Optional: only failover or distribute can be set.'\n items:\n properties:\n from:\n description: Originating region.\n format: string\n type: string\n to:\n format: string\n type: string\n type: object\n type: array\n type: object\n simple:\n enum:\n - ROUND_ROBIN\n - LEAST_CONN\n - RANDOM\n - PASSTHROUGH\n type: string\n type: object\n outlierDetection:\n properties:\n baseEjectionTime:\n description: Minimum ejection duration.\n type: string\n consecutive5xxErrors:\n description: Number of 5xx errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n consecutiveErrors:\n format: int32\n type: integer\n consecutiveGatewayErrors:\n description: Number of gateway errors before a host is ejected from the connection pool.\n nullable: true\n type: integer\n interval:\n description: Time interval between ejection sweep analysis.\n type: string\n maxEjectionPercent:\n format: int32\n type: integer\n minHealthPercent:\n format: int32\n type: integer\n type: object\n port:\n properties:\n number:\n type: integer\n type: object\n tls:\n description: TLS related settings for connections to the upstream service.\n properties:\n caCertificates:\n format: string\n type: string\n clientCertificate:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n credentialName:\n format: string\n type: string\n mode:\n enum:\n - DISABLE\n - SIMPLE\n - MUTUAL\n - ISTIO_MUTUAL\n type: string\n privateKey:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n sni:\n description: SNI string to present to the server during TLS handshake.\n format: string\n type: string\n subjectAltNames:\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: array\n tls:\n description: TLS related settings for connections to the upstream service.\n properties:\n caCertificates:\n format: string\n type: string\n clientCertificate:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n credentialName:\n format: string\n type: string\n mode:\n enum:\n - DISABLE\n - SIMPLE\n - MUTUAL\n - ISTIO_MUTUAL\n type: string\n privateKey:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n sni:\n description: SNI string to present to the server during TLS handshake.\n format: string\n type: string\n subjectAltNames:\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: envoyfilters.networking.istio.io\nspec:\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: EnvoyFilter\n listKind: EnvoyFilterList\n plural: envoyfilters\n singular: envoyfilter\n preserveUnknownFields: true\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'\n properties:\n configPatches:\n description: One or more patches with match conditions.\n items:\n properties:\n applyTo:\n enum:\n - INVALID\n - LISTENER\n - FILTER_CHAIN\n - NETWORK_FILTER\n - HTTP_FILTER\n - ROUTE_CONFIGURATION\n - VIRTUAL_HOST\n - HTTP_ROUTE\n - CLUSTER\n - EXTENSION_CONFIG\n type: string\n match:\n description: Match on listener/route configuration/cluster.\n oneOf:\n - not:\n anyOf:\n - required:\n - listener\n - required:\n - routeConfiguration\n - required:\n - cluster\n - required:\n - listener\n - required:\n - routeConfiguration\n - required:\n - cluster\n properties:\n cluster:\n description: Match on envoy cluster attributes.\n properties:\n name:\n description: The exact name of the cluster to match.\n format: string\n type: string\n portNumber:\n description: The service port for which this cluster was generated.\n type: integer\n service:\n description: The fully qualified service name for this cluster.\n format: string\n type: string\n subset:\n description: The subset associated with the service.\n format: string\n type: string\n type: object\n context:\n description: The specific config generation context to match on.\n enum:\n - ANY\n - SIDECAR_INBOUND\n - SIDECAR_OUTBOUND\n - GATEWAY\n type: string\n listener:\n description: Match on envoy listener attributes.\n properties:\n filterChain:\n description: Match a specific filter chain in a listener.\n properties:\n applicationProtocols:\n description: Applies only to sidecars.\n format: string\n type: string\n destinationPort:\n description: The destination_port value used by a filter chain's match condition.\n type: integer\n filter:\n description: The name of a specific filter to apply the patch to.\n properties:\n name:\n description: The filter name to match on.\n format: string\n type: string\n subFilter:\n properties:\n name:\n description: The filter name to match on.\n format: string\n type: string\n type: object\n type: object\n name:\n description: The name assigned to the filter chain.\n format: string\n type: string\n sni:\n description: The SNI value used by a filter chain's match condition.\n format: string\n type: string\n transportProtocol:\n description: Applies only to `SIDECAR_INBOUND` context.\n format: string\n type: string\n type: object\n name:\n description: Match a specific listener by its name.\n format: string\n type: string\n portName:\n format: string\n type: string\n portNumber:\n type: integer\n type: object\n proxy:\n description: Match on properties associated with a proxy.\n properties:\n metadata:\n additionalProperties:\n format: string\n type: string\n type: object\n proxyVersion:\n format: string\n type: string\n type: object\n routeConfiguration:\n description: Match on envoy HTTP route configuration attributes.\n properties:\n gateway:\n format: string\n type: string\n name:\n description: Route configuration name to match on.\n format: string\n type: string\n portName:\n description: Applicable only for GATEWAY context.\n format: string\n type: string\n portNumber:\n type: integer\n vhost:\n properties:\n name:\n format: string\n type: string\n route:\n description: Match a specific route within the virtual host.\n properties:\n action:\n description: Match a route with specific action type.\n enum:\n - ANY\n - ROUTE\n - REDIRECT\n - DIRECT_RESPONSE\n type: string\n name:\n format: string\n type: string\n type: object\n type: object\n type: object\n type: object\n patch:\n description: The patch to apply along with the operation.\n properties:\n filterClass:\n description: Determines the filter insertion order.\n enum:\n - UNSPECIFIED\n - AUTHN\n - AUTHZ\n - STATS\n type: string\n operation:\n description: Determines how the patch should be applied.\n enum:\n - INVALID\n - MERGE\n - ADD\n - REMOVE\n - INSERT_BEFORE\n - INSERT_AFTER\n - INSERT_FIRST\n - REPLACE\n type: string\n value:\n description: The JSON config of the object being patched.\n type: object\n type: object\n type: object\n type: array\n workloadSelector:\n properties:\n labels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: gateways.networking.istio.io\nspec:\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: Gateway\n listKind: GatewayList\n plural: gateways\n shortNames:\n - gw\n singular: gateway\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html'\n properties:\n selector:\n additionalProperties:\n format: string\n type: string\n type: object\n servers:\n description: A list of server specifications.\n items:\n properties:\n bind:\n format: string\n type: string\n defaultEndpoint:\n format: string\n type: string\n hosts:\n description: One or more hosts exposed by this gateway.\n items:\n format: string\n type: string\n type: array\n name:\n description: An optional name of the server, when set must be unique across all servers.\n format: string\n type: string\n port:\n properties:\n name:\n description: Label assigned to the port.\n format: string\n type: string\n number:\n description: A valid non-negative integer port number.\n type: integer\n protocol:\n description: The protocol exposed on the port.\n format: string\n type: string\n targetPort:\n type: integer\n type: object\n tls:\n description: Set of TLS related options that govern the server's behavior.\n properties:\n caCertificates:\n description: REQUIRED if mode is `MUTUAL`.\n format: string\n type: string\n cipherSuites:\n description: 'Optional: If specified, only support the specified cipher list.'\n items:\n format: string\n type: string\n type: array\n credentialName:\n format: string\n type: string\n httpsRedirect:\n type: boolean\n maxProtocolVersion:\n description: 'Optional: Maximum TLS protocol version.'\n enum:\n - TLS_AUTO\n - TLSV1_0\n - TLSV1_1\n - TLSV1_2\n - TLSV1_3\n type: string\n minProtocolVersion:\n description: 'Optional: Minimum TLS protocol version.'\n enum:\n - TLS_AUTO\n - TLSV1_0\n - TLSV1_1\n - TLSV1_2\n - TLSV1_3\n type: string\n mode:\n enum:\n - PASSTHROUGH\n - SIMPLE\n - MUTUAL\n - AUTO_PASSTHROUGH\n - ISTIO_MUTUAL\n type: string\n privateKey:\n description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.\n format: string\n type: string\n serverCertificate:\n description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.\n format: string\n type: string\n subjectAltNames:\n items:\n format: string\n type: string\n type: array\n verifyCertificateHash:\n items:\n format: string\n type: string\n type: array\n verifyCertificateSpki:\n items:\n format: string\n type: string\n type: array\n type: object\n type: object\n type: array\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n release: istio\n name: istiooperators.install.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.revision\n description: Istio control plane revision\n name: Revision\n type: string\n - JSONPath: .status.status\n description: IOP current state\n name: Status\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n group: install.istio.io\n names:\n kind: IstioOperator\n plural: istiooperators\n shortNames:\n - iop\n - io\n singular: istiooperator\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n spec:\n description: 'Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'\n type: object\n status:\n description: 'Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'\n type: object\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n istio: security\n release: istio\n name: peerauthentications.security.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.mtls.mode\n description: Defines the mTLS mode used for peer authentication.\n name: Mode\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n group: security.istio.io\n names:\n categories:\n - istio-io\n - security-istio-io\n kind: PeerAuthentication\n listKind: PeerAuthenticationList\n plural: peerauthentications\n shortNames:\n - pa\n singular: peerauthentication\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.\n properties:\n mtls:\n description: Mutual TLS settings for workload.\n properties:\n mode:\n description: Defines the mTLS mode used for peer authentication.\n enum:\n - UNSET\n - DISABLE\n - PERMISSIVE\n - STRICT\n type: string\n type: object\n portLevelMtls:\n additionalProperties:\n properties:\n mode:\n description: Defines the mTLS mode used for peer authentication.\n enum:\n - UNSET\n - DISABLE\n - PERMISSIVE\n - STRICT\n type: string\n type: object\n description: Port specific mutual TLS settings.\n type: object\n selector:\n description: The selector determines the workloads to apply the ChannelAuthentication on.\n properties:\n matchLabels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1beta1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n istio: security\n release: istio\n name: requestauthentications.security.istio.io\nspec:\n group: security.istio.io\n names:\n categories:\n - istio-io\n - security-istio-io\n kind: RequestAuthentication\n listKind: RequestAuthenticationList\n plural: requestauthentications\n shortNames:\n - ra\n singular: requestauthentication\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: RequestAuthentication defines what request authentication methods are supported by a workload.\n properties:\n jwtRules:\n description: Define the list of JWTs that can be validated at the selected workloads' proxy.\n items:\n properties:\n audiences:\n items:\n format: string\n type: string\n type: array\n forwardOriginalToken:\n description: If set to true, the orginal token will be kept for the ustream request.\n type: boolean\n fromHeaders:\n description: List of header locations from which JWT is expected.\n items:\n properties:\n name:\n description: The HTTP header name.\n format: string\n type: string\n prefix:\n description: The prefix that should be stripped before decoding the token.\n format: string\n type: string\n type: object\n type: array\n fromParams:\n description: List of query parameters from which JWT is expected.\n items:\n format: string\n type: string\n type: array\n issuer:\n description: Identifies the issuer that issued the JWT.\n format: string\n type: string\n jwks:\n description: JSON Web Key Set of public keys to validate signature of the JWT.\n format: string\n type: string\n jwks_uri:\n format: string\n type: string\n jwksUri:\n format: string\n type: string\n outputPayloadToHeader:\n format: string\n type: string\n type: object\n type: array\n selector:\n description: The selector determines the workloads to apply the RequestAuthentication on.\n properties:\n matchLabels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1beta1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: serviceentries.networking.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.hosts\n description: The hosts associated with the ServiceEntry\n name: Hosts\n type: string\n - JSONPath: .spec.location\n description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)\n name: Location\n type: string\n - JSONPath: .spec.resolution\n description: Service discovery mode for the hosts (NONE, STATIC, or DNS)\n name: Resolution\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: ServiceEntry\n listKind: ServiceEntryList\n plural: serviceentries\n shortNames:\n - se\n singular: serviceentry\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html'\n properties:\n addresses:\n description: The virtual IP addresses associated with the service.\n items:\n format: string\n type: string\n type: array\n endpoints:\n description: One or more endpoints associated with the service.\n items:\n properties:\n address:\n format: string\n type: string\n labels:\n additionalProperties:\n format: string\n type: string\n description: One or more labels associated with the endpoint.\n type: object\n locality:\n description: The locality associated with the endpoint.\n format: string\n type: string\n network:\n format: string\n type: string\n ports:\n additionalProperties:\n type: integer\n description: Set of ports associated with the endpoint.\n type: object\n serviceAccount:\n format: string\n type: string\n weight:\n description: The load balancing weight associated with the endpoint.\n type: integer\n type: object\n type: array\n exportTo:\n description: A list of namespaces to which this service is exported.\n items:\n format: string\n type: string\n type: array\n hosts:\n description: The hosts associated with the ServiceEntry.\n items:\n format: string\n type: string\n type: array\n location:\n enum:\n - MESH_EXTERNAL\n - MESH_INTERNAL\n type: string\n ports:\n description: The ports associated with the external service.\n items:\n properties:\n name:\n description: Label assigned to the port.\n format: string\n type: string\n number:\n description: A valid non-negative integer port number.\n type: integer\n protocol:\n description: The protocol exposed on the port.\n format: string\n type: string\n targetPort:\n type: integer\n type: object\n type: array\n resolution:\n description: Service discovery mode for the hosts.\n enum:\n - NONE\n - STATIC\n - DNS\n type: string\n subjectAltNames:\n items:\n format: string\n type: string\n type: array\n workloadSelector:\n description: Applicable only for MESH_INTERNAL services.\n properties:\n labels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: sidecars.networking.istio.io\nspec:\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: Sidecar\n listKind: SidecarList\n plural: sidecars\n singular: sidecar\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'\n properties:\n egress:\n items:\n properties:\n bind:\n format: string\n type: string\n captureMode:\n enum:\n - DEFAULT\n - IPTABLES\n - NONE\n type: string\n hosts:\n items:\n format: string\n type: string\n type: array\n port:\n description: The port associated with the listener.\n properties:\n name:\n description: Label assigned to the port.\n format: string\n type: string\n number:\n description: A valid non-negative integer port number.\n type: integer\n protocol:\n description: The protocol exposed on the port.\n format: string\n type: string\n targetPort:\n type: integer\n type: object\n type: object\n type: array\n ingress:\n items:\n properties:\n bind:\n description: The IP to which the listener should be bound.\n format: string\n type: string\n captureMode:\n enum:\n - DEFAULT\n - IPTABLES\n - NONE\n type: string\n defaultEndpoint:\n format: string\n type: string\n port:\n description: The port associated with the listener.\n properties:\n name:\n description: Label assigned to the port.\n format: string\n type: string\n number:\n description: A valid non-negative integer port number.\n type: integer\n protocol:\n description: The protocol exposed on the port.\n format: string\n type: string\n targetPort:\n type: integer\n type: object\n type: object\n type: array\n outboundTrafficPolicy:\n description: Configuration for the outbound traffic policy.\n properties:\n egressProxy:\n properties:\n host:\n description: The name of a service from the service registry.\n format: string\n type: string\n port:\n description: Specifies the port on the host that is being addressed.\n properties:\n number:\n type: integer\n type: object\n subset:\n description: The name of a subset within the service.\n format: string\n type: string\n type: object\n mode:\n enum:\n - REGISTRY_ONLY\n - ALLOW_ANY\n type: string\n type: object\n workloadSelector:\n properties:\n labels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: virtualservices.networking.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.gateways\n description: The names of gateways and sidecars that should apply these routes\n name: Gateways\n type: string\n - JSONPath: .spec.hosts\n description: The destination hosts to which traffic is being sent\n name: Hosts\n type: string\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: VirtualService\n listKind: VirtualServiceList\n plural: virtualservices\n shortNames:\n - vs\n singular: virtualservice\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'\n properties:\n exportTo:\n description: A list of namespaces to which this virtual service is exported.\n items:\n format: string\n type: string\n type: array\n gateways:\n description: The names of gateways and sidecars that should apply these routes.\n items:\n format: string\n type: string\n type: array\n hosts:\n description: The destination hosts to which traffic is being sent.\n items:\n format: string\n type: string\n type: array\n http:\n description: An ordered list of route rules for HTTP traffic.\n items:\n properties:\n corsPolicy:\n description: Cross-Origin Resource Sharing policy (CORS).\n properties:\n allowCredentials:\n nullable: true\n type: boolean\n allowHeaders:\n items:\n format: string\n type: string\n type: array\n allowMethods:\n description: List of HTTP methods allowed to access the resource.\n items:\n format: string\n type: string\n type: array\n allowOrigin:\n description: The list of origins that are allowed to perform CORS requests.\n items:\n format: string\n type: string\n type: array\n allowOrigins:\n description: String patterns that match allowed origins.\n items:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n type: array\n exposeHeaders:\n items:\n format: string\n type: string\n type: array\n maxAge:\n type: string\n type: object\n delegate:\n properties:\n name:\n description: Name specifies the name of the delegate VirtualService.\n format: string\n type: string\n namespace:\n description: Namespace specifies the namespace where the delegate VirtualService resides.\n format: string\n type: string\n type: object\n fault:\n description: Fault injection policy to apply on HTTP traffic at the client side.\n properties:\n abort:\n oneOf:\n - not:\n anyOf:\n - required:\n - httpStatus\n - required:\n - grpcStatus\n - required:\n - http2Error\n - required:\n - httpStatus\n - required:\n - grpcStatus\n - required:\n - http2Error\n properties:\n grpcStatus:\n format: string\n type: string\n http2Error:\n format: string\n type: string\n httpStatus:\n description: HTTP status code to use to abort the Http request.\n format: int32\n type: integer\n percentage:\n description: Percentage of requests to be aborted with the error code provided.\n properties:\n value:\n format: double\n type: number\n type: object\n type: object\n delay:\n oneOf:\n - not:\n anyOf:\n - required:\n - fixedDelay\n - required:\n - exponentialDelay\n - required:\n - fixedDelay\n - required:\n - exponentialDelay\n properties:\n exponentialDelay:\n type: string\n fixedDelay:\n description: Add a fixed delay before forwarding the request.\n type: string\n percent:\n description: Percentage of requests on which the delay will be injected (0-100).\n format: int32\n type: integer\n percentage:\n description: Percentage of requests on which the delay will be injected.\n properties:\n value:\n format: double\n type: number\n type: object\n type: object\n type: object\n headers:\n properties:\n request:\n properties:\n add:\n additionalProperties:\n format: string\n type: string\n type: object\n remove:\n items:\n format: string\n type: string\n type: array\n set:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n response:\n properties:\n add:\n additionalProperties:\n format: string\n type: string\n type: object\n remove:\n items:\n format: string\n type: string\n type: array\n set:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n match:\n items:\n properties:\n authority:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n gateways:\n description: Names of gateways where the rule should be applied.\n items:\n format: string\n type: string\n type: array\n headers:\n additionalProperties:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n type: object\n ignoreUriCase:\n description: Flag to specify whether the URI matching should be case-insensitive.\n type: boolean\n method:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n name:\n description: The name assigned to a match.\n format: string\n type: string\n port:\n description: Specifies the ports on the host that is being addressed.\n type: integer\n queryParams:\n additionalProperties:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n description: Query parameters for matching.\n type: object\n scheme:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n sourceLabels:\n additionalProperties:\n format: string\n type: string\n type: object\n sourceNamespace:\n description: Source namespace constraining the applicability of a rule to workloads in that namespace.\n format: string\n type: string\n uri:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n withoutHeaders:\n additionalProperties:\n oneOf:\n - not:\n anyOf:\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n - required:\n - exact\n - required:\n - prefix\n - required:\n - regex\n properties:\n exact:\n format: string\n type: string\n prefix:\n format: string\n type: string\n regex:\n description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).\n format: string\n type: string\n type: object\n description: withoutHeader has the same syntax with the header, but has opposite meaning.\n type: object\n type: object\n type: array\n mirror:\n properties:\n host:\n description: The name of a service from the service registry.\n format: string\n type: string\n port:\n description: Specifies the port on the host that is being addressed.\n properties:\n number:\n type: integer\n type: object\n subset:\n description: The name of a subset within the service.\n format: string\n type: string\n type: object\n mirror_percent:\n description: Percentage of the traffic to be mirrored by the `mirror` field.\n nullable: true\n type: integer\n mirrorPercent:\n description: Percentage of the traffic to be mirrored by the `mirror` field.\n nullable: true\n type: integer\n mirrorPercentage:\n description: Percentage of the traffic to be mirrored by the `mirror` field.\n properties:\n value:\n format: double\n type: number\n type: object\n name:\n description: The name assigned to the route for debugging purposes.\n format: string\n type: string\n redirect:\n description: A HTTP rule can either redirect or forward (default) traffic.\n properties:\n authority:\n format: string\n type: string\n redirectCode:\n type: integer\n uri:\n format: string\n type: string\n type: object\n retries:\n description: Retry policy for HTTP requests.\n properties:\n attempts:\n description: Number of retries to be allowed for a given request.\n format: int32\n type: integer\n perTryTimeout:\n description: Timeout per retry attempt for a given request.\n type: string\n retryOn:\n description: Specifies the conditions under which retry takes place.\n format: string\n type: string\n retryRemoteLocalities:\n description: Flag to specify whether the retries should retry to other localities.\n nullable: true\n type: boolean\n type: object\n rewrite:\n description: Rewrite HTTP URIs and Authority headers.\n properties:\n authority:\n description: rewrite the Authority/Host header with this value.\n format: string\n type: string\n uri:\n format: string\n type: string\n type: object\n route:\n description: A HTTP rule can either redirect or forward (default) traffic.\n items:\n properties:\n destination:\n properties:\n host:\n description: The name of a service from the service registry.\n format: string\n type: string\n port:\n description: Specifies the port on the host that is being addressed.\n properties:\n number:\n type: integer\n type: object\n subset:\n description: The name of a subset within the service.\n format: string\n type: string\n type: object\n headers:\n properties:\n request:\n properties:\n add:\n additionalProperties:\n format: string\n type: string\n type: object\n remove:\n items:\n format: string\n type: string\n type: array\n set:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n response:\n properties:\n add:\n additionalProperties:\n format: string\n type: string\n type: object\n remove:\n items:\n format: string\n type: string\n type: array\n set:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n type: object\n weight:\n format: int32\n type: integer\n type: object\n type: array\n timeout:\n description: Timeout for HTTP requests, default is disabled.\n type: string\n type: object\n type: array\n tcp:\n description: An ordered list of route rules for opaque TCP traffic.\n items:\n properties:\n match:\n items:\n properties:\n destinationSubnets:\n description: IPv4 or IPv6 ip addresses of destination with optional subnet.\n items:\n format: string\n type: string\n type: array\n gateways:\n description: Names of gateways where the rule should be applied.\n items:\n format: string\n type: string\n type: array\n port:\n description: Specifies the port on the host that is being addressed.\n type: integer\n sourceLabels:\n additionalProperties:\n format: string\n type: string\n type: object\n sourceNamespace:\n description: Source namespace constraining the applicability of a rule to workloads in that namespace.\n format: string\n type: string\n sourceSubnet:\n description: IPv4 or IPv6 ip address of source with optional subnet.\n format: string\n type: string\n type: object\n type: array\n route:\n description: The destination to which the connection should be forwarded to.\n items:\n properties:\n destination:\n properties:\n host:\n description: The name of a service from the service registry.\n format: string\n type: string\n port:\n description: Specifies the port on the host that is being addressed.\n properties:\n number:\n type: integer\n type: object\n subset:\n description: The name of a subset within the service.\n format: string\n type: string\n type: object\n weight:\n format: int32\n type: integer\n type: object\n type: array\n type: object\n type: array\n tls:\n items:\n properties:\n match:\n items:\n properties:\n destinationSubnets:\n description: IPv4 or IPv6 ip addresses of destination with optional subnet.\n items:\n format: string\n type: string\n type: array\n gateways:\n description: Names of gateways where the rule should be applied.\n items:\n format: string\n type: string\n type: array\n port:\n description: Specifies the port on the host that is being addressed.\n type: integer\n sniHosts:\n description: SNI (server name indicator) to match on.\n items:\n format: string\n type: string\n type: array\n sourceLabels:\n additionalProperties:\n format: string\n type: string\n type: object\n sourceNamespace:\n description: Source namespace constraining the applicability of a rule to workloads in that namespace.\n format: string\n type: string\n type: object\n type: array\n route:\n description: The destination to which the connection should be forwarded to.\n items:\n properties:\n destination:\n properties:\n host:\n description: The name of a service from the service registry.\n format: string\n type: string\n port:\n description: Specifies the port on the host that is being addressed.\n properties:\n number:\n type: integer\n type: object\n subset:\n description: The name of a subset within the service.\n format: string\n type: string\n type: object\n weight:\n format: int32\n type: integer\n type: object\n type: array\n type: object\n type: array\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n helm.sh/resource-policy: keep\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: workloadentries.networking.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n - JSONPath: .spec.address\n description: Address associated with the network endpoint.\n name: Address\n type: string\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: WorkloadEntry\n listKind: WorkloadEntryList\n plural: workloadentries\n shortNames:\n - we\n singular: workloadentry\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'\n properties:\n address:\n format: string\n type: string\n labels:\n additionalProperties:\n format: string\n type: string\n description: One or more labels associated with the endpoint.\n type: object\n locality:\n description: The locality associated with the endpoint.\n format: string\n type: string\n network:\n format: string\n type: string\n ports:\n additionalProperties:\n type: integer\n description: Set of ports associated with the endpoint.\n type: object\n serviceAccount:\n format: string\n type: string\n weight:\n description: The load balancing weight associated with the endpoint.\n type: integer\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: istio-pilot\n chart: istio\n heritage: Tiller\n release: istio\n name: workloadgroups.networking.istio.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .metadata.creationTimestamp\n description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'\n name: Age\n type: date\n group: networking.istio.io\n names:\n categories:\n - istio-io\n - networking-istio-io\n kind: WorkloadGroup\n listKind: WorkloadGroupList\n plural: workloadgroups\n shortNames:\n - wg\n singular: workloadgroup\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html'\n properties:\n metadata:\n description: Metadata that will be used for all corresponding `WorkloadEntries`.\n properties:\n annotations:\n additionalProperties:\n format: string\n type: string\n type: object\n labels:\n additionalProperties:\n format: string\n type: string\n type: object\n type: object\n probe:\n description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.'\n oneOf:\n - not:\n anyOf:\n - required:\n - httpGet\n - required:\n - tcpSocket\n - required:\n - exec\n - required:\n - httpGet\n - required:\n - tcpSocket\n - required:\n - exec\n properties:\n exec:\n description: Health is determined by how the command that is executed exited.\n properties:\n command:\n description: Command to run.\n items:\n format: string\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded.\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP.\n format: string\n type: string\n httpHeaders:\n description: Headers the proxy will pass on to make the request.\n items:\n properties:\n name:\n format: string\n type: string\n value:\n format: string\n type: string\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n format: string\n type: string\n port:\n description: Port on which the endpoint lives.\n type: integer\n scheme:\n format: string\n type: string\n type: object\n initialDelaySeconds:\n description: Number of seconds after the container has started before readiness probes are initiated.\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed.\n format: int32\n type: integer\n tcpSocket:\n description: Health is determined by if the proxy is able to connect.\n properties:\n host:\n format: string\n type: string\n port:\n type: integer\n type: object\n timeoutSeconds:\n description: Number of seconds after which the probe times out.\n format: int32\n type: integer\n type: object\n template:\n description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`.\n properties:\n address:\n format: string\n type: string\n labels:\n additionalProperties:\n format: string\n type: string\n description: One or more labels associated with the endpoint.\n type: object\n locality:\n description: The locality associated with the endpoint.\n format: string\n type: string\n network:\n format: string\n type: string\n ports:\n additionalProperties:\n type: integer\n description: Set of ports associated with the endpoint.\n type: object\n serviceAccount:\n format: string\n type: string\n weight:\n description: The load balancing weight associated with the endpoint.\n type: integer\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha3\n served: true\n storage: true\n"
},
{
"path": "manifest1.3/005-istio-1-9-0-istio-namespace-base.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n labels:\n istio-injection: disabled\n istio-operator-managed: Reconcile\n name: istio-system\n"
},
{
"path": "manifest1.3/006-istio-1-9-0-istio-install-base.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: istio-ingressgateway\n install.operator.istio.io/owning-resource: unknown\n istio: ingressgateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: istio-ingressgateway-service-account\n namespace: istio-system\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: istio-reader\n release: istio\n name: istio-reader-service-account\n namespace: istio-system\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: istiod\n release: istio\n name: istiod-service-account\n namespace: istio-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: istio-ingressgateway-sds\n namespace: istio-system\nrules:\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - watch\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: istiod\n release: istio\n name: istiod-istio-system\n namespace: istio-system\nrules:\n- apiGroups:\n - networking.istio.io\n resources:\n - gateways\n verbs:\n - create\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - create\n - get\n - watch\n - list\n - update\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: istio-reader\n release: istio\n name: istio-reader-istio-system\nrules:\n- apiGroups:\n - config.istio.io\n - security.istio.io\n - networking.istio.io\n - authentication.istio.io\n - rbac.istio.io\n resources:\n - '*'\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - endpoints\n - pods\n - services\n - nodes\n - replicationcontrollers\n - namespaces\n - secrets\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - networking.istio.io\n resources:\n - workloadentries\n verbs:\n - get\n - watch\n - list\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - apps\n resources:\n - replicasets\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - authentication.k8s.io\n resources:\n - tokenreviews\n verbs:\n - create\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: istiod\n release: istio\n name: istiod-istio-system\nrules:\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - mutatingwebhookconfigurations\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - validatingwebhookconfigurations\n verbs:\n - get\n - list\n - watch\n - update\n- apiGroups:\n - config.istio.io\n - security.istio.io\n - networking.istio.io\n - authentication.istio.io\n - rbac.istio.io\n resources:\n - '*'\n verbs:\n - get\n - watch\n - list\n- apiGroups:\n - networking.istio.io\n resources:\n - workloadentries\n verbs:\n - get\n - watch\n - list\n - update\n - patch\n - create\n - delete\n- apiGroups:\n - networking.istio.io\n resources:\n - workloadentries/status\n verbs:\n - get\n - watch\n - list\n - update\n - patch\n - create\n - delete\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - pods\n - nodes\n - services\n - namespaces\n - endpoints\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - networking.k8s.io\n resources:\n - ingresses\n - ingressclasses\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - networking.k8s.io\n resources:\n - ingresses/status\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - create\n - get\n - list\n - watch\n - update\n- apiGroups:\n - certificates.k8s.io\n resources:\n - certificatesigningrequests\n - certificatesigningrequests/approval\n - certificatesigningrequests/status\n verbs:\n - update\n - create\n - get\n - delete\n - watch\n- apiGroups:\n - certificates.k8s.io\n resourceNames:\n - kubernetes.io/legacy-unknown\n resources:\n - signers\n verbs:\n - approve\n- apiGroups:\n - authentication.k8s.io\n resources:\n - tokenreviews\n verbs:\n - create\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - networking.x-k8s.io\n resources:\n - '*'\n verbs:\n - get\n - watch\n - list\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - watch\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: istio-ingressgateway-sds\n namespace: istio-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: istio-ingressgateway-sds\nsubjects:\n- kind: ServiceAccount\n name: istio-ingressgateway-service-account\n namespace: istio-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: istiod\n release: istio\n name: istiod-istio-system\n namespace: istio-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: istiod-istio-system\nsubjects:\n- kind: ServiceAccount\n name: istiod-service-account\n namespace: istio-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: istio-reader\n release: istio\n name: istio-reader-istio-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: istio-reader-istio-system\nsubjects:\n- kind: ServiceAccount\n name: istio-reader-service-account\n namespace: istio-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: istiod\n release: istio\n name: istiod-istio-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: istiod-istio-system\nsubjects:\n- kind: ServiceAccount\n name: istiod-service-account\n namespace: istio-system\n---\napiVersion: v1\ndata:\n mesh: |-\n accessLogFile: /dev/stdout\n defaultConfig:\n discoveryAddress: istiod.istio-system.svc:15012\n proxyMetadata: {}\n tracing:\n zipkin:\n address: zipkin.istio-system:9411\n enablePrometheusMerge: true\n rootNamespace: istio-system\n trustDomain: cluster.local\n meshNetworks: 'networks: {}'\nkind: ConfigMap\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istio\n namespace: istio-system\n---\napiVersion: v1\ndata:\n config: |-\n # defaultTemplates defines the default template to use for pods that do not explicitly specify a template\n defaultTemplates: [sidecar]\n policy: enabled\n alwaysInjectSelector:\n []\n neverInjectSelector:\n []\n injectedAnnotations:\n template: \"{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}\"\n templates:\n sidecar: |\n {{- $containers := list }}\n {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name \"istio-proxy\") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}\n metadata:\n labels:\n security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default \"istio\" | quote }}\n service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}\n service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default \"latest\" | quote }}\n istio.io/rev: {{ .Revision | default \"default\" | quote }}\n annotations: {\n {{- if eq (len $containers) 1 }}\n kubectl.kubernetes.io/default-logs-container: \"{{ index $containers 0 }}\",\n {{ end }}\n {{- if .Values.istio_cni.enabled }}\n {{- if not .Values.istio_cni.chained }}\n k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',\n {{- end }}\n sidecar.istio.io/interceptionMode: \"{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}\",\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: \"{{.}}\",{{ end }}\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: \"{{.}}\",{{ end }}\n traffic.sidecar.istio.io/includeInboundPorts: \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}\",\n traffic.sidecar.istio.io/excludeInboundPorts: \"{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}\",\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts \"\") \"\") }}\n traffic.sidecar.istio.io/includeOutboundPorts: \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}\",\n {{- end }}\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts \"\") }}\n traffic.sidecar.istio.io/excludeOutboundPorts: \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}\",\n {{- end }}\n {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: \"{{.}}\",{{ end }}\n {{- end }}\n }\n spec:\n {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}\n initContainers:\n {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}\n {{ if .Values.istio_cni.enabled -}}\n - name: istio-validation\n {{ else -}}\n - name: istio-init\n {{ end -}}\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}\"\n {{- else }}\n image: \"{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}\"\n {{- end }}\n args:\n - istio-iptables\n - \"-p\"\n - \"15001\"\n - \"-z\"\n - \"15006\"\n - \"-u\"\n - \"1337\"\n - \"-m\"\n - \"{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}\"\n - \"-i\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}\"\n - \"-x\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}\"\n - \"-b\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}\"\n - \"-d\"\n {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}\n - \"15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}\"\n {{- else }}\n - \"15090,15021\"\n {{- end }}\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts \"\") \"\") -}}\n - \"-q\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}\"\n {{ end -}}\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts \"\") \"\") -}}\n - \"-o\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}\"\n {{ end -}}\n {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}\n - \"-k\"\n - \"{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}\"\n {{ end -}}\n {{ if .Values.istio_cni.enabled -}}\n - \"--run-validation\"\n - \"--skip-rule-apply\"\n {{ end -}}\n imagePullPolicy: \"{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}\"\n {{- if .ProxyConfig.ProxyMetadata }}\n env:\n {{- range $key, $value := .ProxyConfig.ProxyMetadata }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{- end }}\n {{- end }}\n resources:\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}\n requests:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}\"\n {{ end }}\n {{- end }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n limits:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}\"\n {{ end }}\n {{- end }}\n {{- else }}\n {{- if .Values.global.proxy.resources }}\n {{ toYaml .Values.global.proxy.resources | indent 6 }}\n {{- end }}\n {{- end }}\n securityContext:\n allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}\n privileged: {{ .Values.global.proxy.privileged }}\n capabilities:\n {{- if not .Values.istio_cni.enabled }}\n add:\n - NET_ADMIN\n - NET_RAW\n {{- end }}\n drop:\n - ALL\n {{- if not .Values.istio_cni.enabled }}\n readOnlyRootFilesystem: false\n runAsGroup: 0\n runAsNonRoot: false\n runAsUser: 0\n {{- else }}\n readOnlyRootFilesystem: true\n runAsGroup: 1337\n runAsUser: 1337\n runAsNonRoot: true\n {{- end }}\n restartPolicy: Always\n {{ end -}}\n {{- if eq .Values.global.proxy.enableCoreDump true }}\n - name: enable-core-dump\n args:\n - -c\n - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited\n command:\n - /bin/sh\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}\"\n {{- else }}\n image: \"{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}\"\n {{- end }}\n imagePullPolicy: \"{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}\"\n resources: {}\n securityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - SYS_ADMIN\n drop:\n - ALL\n privileged: true\n readOnlyRootFilesystem: false\n runAsGroup: 0\n runAsNonRoot: false\n runAsUser: 0\n {{ end }}\n containers:\n - name: istio-proxy\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}\"\n {{- else }}\n image: \"{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}\"\n {{- end }}\n ports:\n - containerPort: 15090\n protocol: TCP\n name: http-envoy-prom\n args:\n - proxy\n - sidecar\n - --domain\n - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}\n - --serviceCluster\n {{ if ne \"\" (index .ObjectMeta.Labels \"app\") -}}\n - \"{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)\"\n {{ else -}}\n - \"{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}\"\n {{ end -}}\n - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}\n - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}\n - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}\n {{- if .Values.global.sts.servicePort }}\n - --stsPort={{ .Values.global.sts.servicePort }}\n {{- end }}\n {{- if .Values.global.logAsJson }}\n - --log_as_json\n {{- end }}\n {{- if gt .ProxyConfig.Concurrency.GetValue 0 }}\n - --concurrency\n - \"{{ .ProxyConfig.Concurrency.GetValue }}\"\n {{- end -}}\n {{- if .Values.global.proxy.lifecycle }}\n lifecycle:\n {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}\n {{- else if $holdProxy }}\n lifecycle:\n postStart:\n exec:\n command:\n - pilot-agent\n - wait\n {{- end }}\n env:\n - name: JWT_POLICY\n value: {{ .Values.global.jwtPolicy }}\n - name: PILOT_CERT_PROVIDER\n value: {{ .Values.global.pilotCertProvider }}\n - name: CA_ADDR\n {{- if .Values.global.caAddress }}\n value: {{ .Values.global.caAddress }}\n {{- else }}\n value: istiod{{- if not (eq .Values.revision \"\") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012\n {{- end }}\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n fieldPath: spec.serviceAccountName\n - name: HOST_IP\n valueFrom:\n fieldRef:\n fieldPath: status.hostIP\n - name: CANONICAL_SERVICE\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-name']\n - name: CANONICAL_REVISION\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-revision']\n - name: PROXY_CONFIG\n value: |\n {{ protoToJSON .ProxyConfig }}\n - name: ISTIO_META_POD_PORTS\n value: |-\n [\n {{- $first := true }}\n {{- range $index1, $c := .Spec.Containers }}\n {{- range $index2, $p := $c.Ports }}\n {{- if (structToJSON $p) }}\n {{if not $first}},{{end}}{{ structToJSON $p }}\n {{- $first = false }}\n {{- end }}\n {{- end}}\n {{- end}}\n ]\n - name: ISTIO_META_APP_CONTAINERS\n value: \"{{ $containers | join \",\" }}\"\n - name: ISTIO_META_CLUSTER_ID\n value: \"{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}\"\n - name: ISTIO_META_INTERCEPTION_MODE\n value: \"{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}\"\n {{- if .Values.global.network }}\n - name: ISTIO_META_NETWORK\n value: \"{{ .Values.global.network }}\"\n {{- end }}\n {{ if .ObjectMeta.Annotations }}\n - name: ISTIO_METAJSON_ANNOTATIONS\n value: |\n {{ toJSON .ObjectMeta.Annotations }}\n {{ end }}\n {{- if .DeploymentMeta.Name }}\n - name: ISTIO_META_WORKLOAD_NAME\n value: \"{{ .DeploymentMeta.Name }}\"\n {{ end }}\n {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}\n - name: ISTIO_META_OWNER\n value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}\n {{- end}}\n {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}\n - name: ISTIO_BOOTSTRAP_OVERRIDE\n value: \"/etc/istio/custom-bootstrap/custom_bootstrap.json\"\n {{- end }}\n {{- if .Values.global.meshID }}\n - name: ISTIO_META_MESH_ID\n value: \"{{ .Values.global.meshID }}\"\n {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}\n - name: ISTIO_META_MESH_ID\n value: \"{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}\"\n {{- end }}\n {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}\n - name: TRUST_DOMAIN\n value: \"{{ . }}\"\n {{- end }}\n {{- if and (eq .Values.global.proxy.tracer \"datadog\") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}\n {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{- end }}\n {{- end }}\n {{- range $key, $value := .ProxyConfig.ProxyMetadata }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{- end }}\n imagePullPolicy: \"{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}\"\n {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}\n readinessProbe:\n httpGet:\n path: /healthz/ready\n port: 15021\n initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}\n periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}\n timeoutSeconds: 3\n failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}\n {{ end -}}\n securityContext:\n allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}\n capabilities:\n {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}\n add:\n {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}\n - NET_ADMIN\n {{- end }}\n {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}\n - NET_BIND_SERVICE\n {{- end }}\n {{- end }}\n drop:\n - ALL\n privileged: {{ .Values.global.proxy.privileged }}\n readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}\n runAsGroup: 1337\n fsGroup: 1337\n {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}\n runAsNonRoot: false\n runAsUser: 0\n {{- else -}}\n runAsNonRoot: true\n runAsUser: 1337\n {{- end }}\n resources:\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}\n requests:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}\"\n {{ end }}\n {{- end }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n limits:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}\"\n {{ end }}\n {{- end }}\n {{- else }}\n {{- if .Values.global.proxy.resources }}\n {{ toYaml .Values.global.proxy.resources | indent 6 }}\n {{- end }}\n {{- end }}\n volumeMounts:\n {{- if eq .Values.global.pilotCertProvider \"istiod\" }}\n - mountPath: /var/run/secrets/istio\n name: istiod-ca-cert\n {{- end }}\n - mountPath: /var/lib/istio/data\n name: istio-data\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}\n - mountPath: /etc/istio/custom-bootstrap\n name: custom-bootstrap-volume\n {{- end }}\n # SDS channel between istioagent and Envoy\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n {{- if eq .Values.global.jwtPolicy \"third-party-jwt\" }}\n - mountPath: /var/run/secrets/tokens\n name: istio-token\n {{- end }}\n {{- if .Values.global.mountMtlsCerts }}\n # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.\n - mountPath: /etc/certs/\n name: istio-certs\n readOnly: true\n {{- end }}\n - name: istio-podinfo\n mountPath: /etc/istio/pod\n {{- if and (eq .Values.global.proxy.tracer \"lightstep\") .ProxyConfig.GetTracing.GetTlsSettings }}\n - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}\n name: lightstep-certs\n readOnly: true\n {{- end }}\n {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}\n {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}\n - name: \"{{ $index }}\"\n {{ toYaml $value | indent 6 }}\n {{ end }}\n {{- end }}\n volumes:\n {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}\n - name: custom-bootstrap-volume\n configMap:\n name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` \"\" }}\n {{- end }}\n # SDS channel between istioagent and Envoy\n - emptyDir:\n medium: Memory\n name: istio-envoy\n - name: istio-data\n emptyDir: {}\n - name: istio-podinfo\n downwardAPI:\n items:\n - path: \"labels\"\n fieldRef:\n fieldPath: metadata.labels\n - path: \"annotations\"\n fieldRef:\n fieldPath: metadata.annotations\n - path: \"cpu-limit\"\n resourceFieldRef:\n containerName: istio-proxy\n resource: limits.cpu\n divisor: 1m\n - path: \"cpu-request\"\n resourceFieldRef:\n containerName: istio-proxy\n resource: requests.cpu\n divisor: 1m\n {{- if eq .Values.global.jwtPolicy \"third-party-jwt\" }}\n - name: istio-token\n projected:\n sources:\n - serviceAccountToken:\n path: istio-token\n expirationSeconds: 43200\n audience: {{ .Values.global.sds.token.aud }}\n {{- end }}\n {{- if eq .Values.global.pilotCertProvider \"istiod\" }}\n - name: istiod-ca-cert\n configMap:\n name: istio-ca-root-cert\n {{- end }}\n {{- if .Values.global.mountMtlsCerts }}\n # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.\n - name: istio-certs\n secret:\n optional: true\n {{ if eq .Spec.ServiceAccountName \"\" }}\n secretName: istio.default\n {{ else -}}\n secretName: {{ printf \"istio.%s\" .Spec.ServiceAccountName }}\n {{ end -}}\n {{- end }}\n {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}\n {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}\n - name: \"{{ $index }}\"\n {{ toYaml $value | indent 4 }}\n {{ end }}\n {{ end }}\n {{- if and (eq .Values.global.proxy.tracer \"lightstep\") .ProxyConfig.GetTracing.GetTlsSettings }}\n - name: lightstep-certs\n secret:\n optional: true\n secretName: lightstep.cacert\n {{- end }}\n {{- if .Values.global.imagePullSecrets }}\n imagePullSecrets:\n {{- range .Values.global.imagePullSecrets }}\n - name: {{ . }}\n {{- end }}\n {{- end }}\n {{- if eq (env \"ENABLE_LEGACY_FSGROUP_INJECTION\" \"true\") \"true\" }}\n securityContext:\n fsGroup: 1337\n {{- end }}\n values: |-\n {\n \"global\": {\n \"arch\": {\n \"amd64\": 2,\n \"ppc64le\": 2,\n \"s390x\": 2\n },\n \"caAddress\": \"\",\n \"configValidation\": true,\n \"defaultNodeSelector\": {},\n \"defaultPodDisruptionBudget\": {\n \"enabled\": true\n },\n \"defaultResources\": {\n \"requests\": {\n \"cpu\": \"10m\"\n }\n },\n \"enabled\": true,\n \"externalIstiod\": false,\n \"hub\": \"docker.io/istio\",\n \"imagePullPolicy\": \"\",\n \"imagePullSecrets\": [],\n \"istioNamespace\": \"istio-system\",\n \"istiod\": {\n \"enableAnalysis\": false\n },\n \"jwtPolicy\": \"third-party-jwt\",\n \"logAsJson\": false,\n \"logging\": {\n \"level\": \"default:info\"\n },\n \"meshID\": \"\",\n \"meshNetworks\": {},\n \"mountMtlsCerts\": false,\n \"multiCluster\": {\n \"clusterName\": \"\",\n \"enabled\": false\n },\n \"namespace\": \"istio-system\",\n \"network\": \"\",\n \"omitSidecarInjectorConfigMap\": false,\n \"oneNamespace\": false,\n \"operatorManageWebhooks\": false,\n \"pilotCertProvider\": \"istiod\",\n \"priorityClassName\": \"\",\n \"proxy\": {\n \"autoInject\": \"enabled\",\n \"clusterDomain\": \"cluster.local\",\n \"componentLogLevel\": \"misc:error\",\n \"enableCoreDump\": false,\n \"excludeIPRanges\": \"\",\n \"excludeInboundPorts\": \"\",\n \"excludeOutboundPorts\": \"\",\n \"holdApplicationUntilProxyStarts\": false,\n \"image\": \"proxyv2\",\n \"includeIPRanges\": \"*\",\n \"logLevel\": \"warning\",\n \"privileged\": false,\n \"readinessFailureThreshold\": 30,\n \"readinessInitialDelaySeconds\": 1,\n \"readinessPeriodSeconds\": 2,\n \"resources\": {\n \"limits\": {\n \"cpu\": \"2000m\",\n \"memory\": \"1024Mi\"\n },\n \"requests\": {\n \"cpu\": \"10m\",\n \"memory\": \"40Mi\"\n }\n },\n \"statusPort\": 15020,\n \"tracer\": \"zipkin\"\n },\n \"proxy_init\": {\n \"image\": \"proxyv2\",\n \"resources\": {\n \"limits\": {\n \"cpu\": \"2000m\",\n \"memory\": \"1024Mi\"\n },\n \"requests\": {\n \"cpu\": \"10m\",\n \"memory\": \"10Mi\"\n }\n }\n },\n \"remotePilotAddress\": \"\",\n \"sds\": {\n \"token\": {\n \"aud\": \"istio-ca\"\n }\n },\n \"sts\": {\n \"servicePort\": 0\n },\n \"tag\": \"1.9.0\",\n \"tracer\": {\n \"datadog\": {\n \"address\": \"$(HOST_IP):8126\"\n },\n \"lightstep\": {\n \"accessToken\": \"\",\n \"address\": \"\"\n },\n \"stackdriver\": {\n \"debug\": false,\n \"maxNumberOfAnnotations\": 200,\n \"maxNumberOfAttributes\": 200,\n \"maxNumberOfMessageEvents\": 200\n },\n \"zipkin\": {\n \"address\": \"\"\n }\n },\n \"trustDomain\": \"\",\n \"useMCP\": false\n },\n \"istio_cni\": {\n \"enabled\": false\n },\n \"revision\": \"\",\n \"sidecarInjectorWebhook\": {\n \"alwaysInjectSelector\": [],\n \"defaultTemplates\": [],\n \"enableNamespacesByDefault\": false,\n \"injectedAnnotations\": {},\n \"neverInjectSelector\": [],\n \"objectSelector\": {\n \"autoInject\": true,\n \"enabled\": true\n },\n \"rewriteAppHTTPProbe\": true,\n \"templates\": {},\n \"useLegacySelectors\": true\n }\n }\nkind: ConfigMap\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istio-sidecar-injector\n namespace: istio-system\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: istio-ingressgateway\n install.operator.istio.io/owning-resource: unknown\n istio: ingressgateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: istio-ingressgateway\n namespace: istio-system\nspec:\n ports:\n - name: status-port\n port: 15021\n protocol: TCP\n targetPort: 15021\n - name: http2\n port: 80\n protocol: TCP\n targetPort: 8080\n nodePort: 30000\n - name: https\n port: 443\n protocol: TCP\n targetPort: 8443\n - name: tcp\n port: 31400\n protocol: TCP\n targetPort: 31400\n - name: tls\n port: 15443\n protocol: TCP\n targetPort: 15443\n selector:\n app: istio-ingressgateway\n istio: ingressgateway\n type: NodePort\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: istiod\n install.operator.istio.io/owning-resource: unknown\n istio: pilot\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istiod\n namespace: istio-system\nspec:\n ports:\n - name: grpc-xds\n port: 15010\n protocol: TCP\n - name: https-dns\n port: 15012\n protocol: TCP\n - name: https-webhook\n port: 443\n protocol: TCP\n targetPort: 15017\n - name: http-monitoring\n port: 15014\n protocol: TCP\n selector:\n app: istiod\n istio: pilot\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: istio-ingressgateway\n install.operator.istio.io/owning-resource: unknown\n istio: ingressgateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: istio-ingressgateway\n namespace: istio-system\nspec:\n selector:\n matchLabels:\n app: istio-ingressgateway\n istio: ingressgateway\n strategy:\n rollingUpdate:\n maxSurge: 100%\n maxUnavailable: 25%\n template:\n metadata:\n annotations:\n prometheus.io/path: /stats/prometheus\n prometheus.io/port: \"15020\"\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: istio-ingressgateway\n chart: gateways\n heritage: Tiller\n install.operator.istio.io/owning-resource: unknown\n istio: ingressgateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n service.istio.io/canonical-name: istio-ingressgateway\n service.istio.io/canonical-revision: latest\n sidecar.istio.io/inject: \"false\"\n spec:\n affinity:\n nodeAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - ppc64le\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - s390x\n weight: 2\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n - ppc64le\n - s390x\n containers:\n - args:\n - proxy\n - router\n - --domain\n - $(POD_NAMESPACE).svc.cluster.local\n - --proxyLogLevel=warning\n - --proxyComponentLogLevel=misc:error\n - --log_output_level=default:info\n - --serviceCluster\n - istio-ingressgateway\n env:\n - name: JWT_POLICY\n value: third-party-jwt\n - name: PILOT_CERT_PROVIDER\n value: istiod\n - name: CA_ADDR\n value: istiod.istio-system.svc:15012\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.podIP\n - name: HOST_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.hostIP\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n fieldPath: spec.serviceAccountName\n - name: CANONICAL_SERVICE\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-name']\n - name: CANONICAL_REVISION\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-revision']\n - name: ISTIO_META_WORKLOAD_NAME\n value: istio-ingressgateway\n - name: ISTIO_META_OWNER\n value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway\n - name: ISTIO_META_UNPRIVILEGED_POD\n value: \"true\"\n - name: ISTIO_META_ROUTER_MODE\n value: standard\n - name: ISTIO_META_CLUSTER_ID\n value: Kubernetes\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74\n name: istio-proxy\n ports:\n - containerPort: 15021\n protocol: TCP\n - containerPort: 8080\n protocol: TCP\n - containerPort: 8443\n protocol: TCP\n - containerPort: 31400\n protocol: TCP\n - containerPort: 15443\n protocol: TCP\n - containerPort: 15090\n name: http-envoy-prom\n protocol: TCP\n readinessProbe:\n failureThreshold: 30\n httpGet:\n path: /healthz/ready\n port: 15021\n scheme: HTTP\n initialDelaySeconds: 1\n periodSeconds: 2\n successThreshold: 1\n timeoutSeconds: 1\n resources:\n limits:\n cpu: 2000m\n memory: 1024Mi\n requests:\n cpu: 10m\n memory: 40Mi\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n privileged: false\n readOnlyRootFilesystem: true\n volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n - mountPath: /etc/istio/config\n name: config-volume\n - mountPath: /var/run/secrets/istio\n name: istiod-ca-cert\n - mountPath: /var/run/secrets/tokens\n name: istio-token\n readOnly: true\n - mountPath: /var/lib/istio/data\n name: istio-data\n - mountPath: /etc/istio/pod\n name: podinfo\n - mountPath: /etc/istio/ingressgateway-certs\n name: ingressgateway-certs\n readOnly: true\n - mountPath: /etc/istio/ingressgateway-ca-certs\n name: ingressgateway-ca-certs\n readOnly: true\n securityContext:\n fsGroup: 1337\n runAsGroup: 1337\n runAsNonRoot: true\n runAsUser: 1337\n serviceAccountName: istio-ingressgateway-service-account\n volumes:\n - configMap:\n name: istio-ca-root-cert\n name: istiod-ca-cert\n - downwardAPI:\n items:\n - fieldRef:\n fieldPath: metadata.labels\n path: labels\n - fieldRef:\n fieldPath: metadata.annotations\n path: annotations\n - path: cpu-limit\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: limits.cpu\n - path: cpu-request\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: requests.cpu\n name: podinfo\n - emptyDir: {}\n name: istio-envoy\n - emptyDir: {}\n name: istio-data\n - name: istio-token\n projected:\n sources:\n - serviceAccountToken:\n audience: istio-ca\n expirationSeconds: 43200\n path: istio-token\n - configMap:\n name: istio\n optional: true\n name: config-volume\n - name: ingressgateway-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-certs\n - name: ingressgateway-ca-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-ca-certs\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: istiod\n install.operator.istio.io/owning-resource: unknown\n istio: pilot\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istiod\n namespace: istio-system\nspec:\n replicas: 1\n selector:\n matchLabels:\n istio: pilot\n strategy:\n rollingUpdate:\n maxSurge: 100%\n maxUnavailable: 25%\n template:\n metadata:\n annotations:\n prometheus.io/port: \"15014\"\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: istiod\n install.operator.istio.io/owning-resource: unknown\n istio: pilot\n istio.io/rev: default\n operator.istio.io/component: Pilot\n sidecar.istio.io/inject: \"false\"\n spec:\n containers:\n - args:\n - discovery\n - --monitoringAddr=:15014\n - --log_output_level=default:info\n - --domain\n - cluster.local\n - --keepaliveMaxServerConnectionAge\n - 30m\n env:\n - name: REVISION\n value: default\n - name: JWT_POLICY\n value: third-party-jwt\n - name: PILOT_CERT_PROVIDER\n value: istiod\n - name: POD_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.namespace\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: spec.serviceAccountName\n - name: KUBECONFIG\n value: /var/run/secrets/remote/config\n - name: PILOT_TRACE_SAMPLING\n value: \"100\"\n - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND\n value: \"true\"\n - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND\n value: \"true\"\n - name: ISTIOD_ADDR\n value: istiod.istio-system.svc:15012\n - name: PILOT_ENABLE_ANALYSIS\n value: \"false\"\n - name: CLUSTER_ID\n value: Kubernetes\n - name: EXTERNAL_ISTIOD\n value: \"false\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-pilot:1.9.0-9d4e9\n name: discovery\n ports:\n - containerPort: 8080\n protocol: TCP\n - containerPort: 15010\n protocol: TCP\n - containerPort: 15017\n protocol: TCP\n readinessProbe:\n httpGet:\n path: /ready\n port: 8080\n initialDelaySeconds: 1\n periodSeconds: 3\n timeoutSeconds: 5\n resources:\n requests:\n cpu: 10m\n memory: 100Mi\n securityContext:\n capabilities:\n drop:\n - ALL\n runAsGroup: 1337\n runAsNonRoot: true\n runAsUser: 1337\n volumeMounts:\n - mountPath: /etc/istio/config\n name: config-volume\n - mountPath: /var/run/secrets/tokens\n name: istio-token\n readOnly: true\n - mountPath: /var/run/secrets/istio-dns\n name: local-certs\n - mountPath: /etc/cacerts\n name: cacerts\n readOnly: true\n - mountPath: /var/run/secrets/remote\n name: istio-kubeconfig\n readOnly: true\n - mountPath: /var/lib/istio/inject\n name: inject\n readOnly: true\n nodeSelector: {}\n securityContext:\n fsGroup: 1337\n serviceAccountName: istiod-service-account\n volumes:\n - emptyDir:\n medium: Memory\n name: local-certs\n - name: istio-token\n projected:\n sources:\n - serviceAccountToken:\n audience: istio-ca\n expirationSeconds: 43200\n path: istio-token\n - name: cacerts\n secret:\n optional: true\n secretName: cacerts\n - name: istio-kubeconfig\n secret:\n optional: true\n secretName: istio-kubeconfig\n - configMap:\n name: istio-sidecar-injector\n name: inject\n - configMap:\n name: istio\n name: config-volume\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: Pilot\n name: metadata-exchange-1.8\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_INBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {}\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.metadata_exchange\n runtime: envoy.wasm.runtime.null\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_OUTBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {}\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.metadata_exchange\n runtime: envoy.wasm.runtime.null\n - applyTo: HTTP_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {}\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.metadata_exchange\n runtime: envoy.wasm.runtime.null\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: Pilot\n name: metadata-exchange-1.9\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_INBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {}\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.metadata_exchange\n runtime: envoy.wasm.runtime.null\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_OUTBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {}\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.metadata_exchange\n runtime: envoy.wasm.runtime.null\n - applyTo: HTTP_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {}\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.metadata_exchange\n runtime: envoy.wasm.runtime.null\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n istio.io/rev: default\n name: stats-filter-1.8\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_OUTBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n subFilter:\n name: envoy.filters.http.router\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: stats_outbound\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_INBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n subFilter:\n name: envoy.filters.http.router\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n }\n root_id: stats_inbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: stats_inbound\n - applyTo: HTTP_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n subFilter:\n name: envoy.filters.http.router\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"disable_host_header_fallback\": true\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: stats_outbound\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n istio.io/rev: default\n name: stats-filter-1.9\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_OUTBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n subFilter:\n name: envoy.filters.http.router\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"metrics\": [\n {\n \"dimensions\": {\n \"source_cluster\": \"node.metadata['CLUSTER_ID']\",\n \"destination_cluster\": \"upstream_peer.cluster_id\"\n }\n }\n ]\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: stats_outbound\n - applyTo: HTTP_FILTER\n match:\n context: SIDECAR_INBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n subFilter:\n name: envoy.filters.http.router\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"metrics\": [\n {\n \"dimensions\": {\n \"destination_cluster\": \"node.metadata['CLUSTER_ID']\",\n \"source_cluster\": \"downstream_peer.cluster_id\"\n }\n }\n ]\n }\n root_id: stats_inbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: stats_inbound\n - applyTo: HTTP_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.http_connection_manager\n subFilter:\n name: envoy.filters.http.router\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"disable_host_header_fallback\": true,\n \"metrics\": [\n {\n \"dimensions\": {\n \"source_cluster\": \"node.metadata['CLUSTER_ID']\",\n \"destination_cluster\": \"upstream_peer.cluster_id\"\n }\n }\n ]\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: stats_outbound\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n istio.io/rev: default\n name: tcp-metadata-exchange-1.8\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: NETWORK_FILTER\n match:\n context: SIDECAR_INBOUND\n listener: {}\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\n value:\n protocol: istio-peer-exchange\n - applyTo: CLUSTER\n match:\n cluster: {}\n context: SIDECAR_OUTBOUND\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: MERGE\n value:\n filters:\n - name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\n value:\n protocol: istio-peer-exchange\n - applyTo: CLUSTER\n match:\n cluster: {}\n context: GATEWAY\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: MERGE\n value:\n filters:\n - name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\n value:\n protocol: istio-peer-exchange\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n istio.io/rev: default\n name: tcp-metadata-exchange-1.9\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: NETWORK_FILTER\n match:\n context: SIDECAR_INBOUND\n listener: {}\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\n value:\n protocol: istio-peer-exchange\n - applyTo: CLUSTER\n match:\n cluster: {}\n context: SIDECAR_OUTBOUND\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: MERGE\n value:\n filters:\n - name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\n value:\n protocol: istio-peer-exchange\n - applyTo: CLUSTER\n match:\n cluster: {}\n context: GATEWAY\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: MERGE\n value:\n filters:\n - name: istio.metadata_exchange\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange\n value:\n protocol: istio-peer-exchange\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n istio.io/rev: default\n name: tcp-stats-filter-1.8\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: NETWORK_FILTER\n match:\n context: SIDECAR_INBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.tcp_proxy\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n }\n root_id: stats_inbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: tcp_stats_inbound\n - applyTo: NETWORK_FILTER\n match:\n context: SIDECAR_OUTBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.tcp_proxy\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: tcp_stats_outbound\n - applyTo: NETWORK_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.tcp_proxy\n proxy:\n proxyVersion: ^1\\.8.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: tcp_stats_outbound\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n labels:\n istio.io/rev: default\n name: tcp-stats-filter-1.9\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: NETWORK_FILTER\n match:\n context: SIDECAR_INBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.tcp_proxy\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"metrics\": [\n {\n \"dimensions\": {\n \"destination_cluster\": \"node.metadata['CLUSTER_ID']\",\n \"source_cluster\": \"downstream_peer.cluster_id\"\n }\n }\n ]\n }\n root_id: stats_inbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: tcp_stats_inbound\n - applyTo: NETWORK_FILTER\n match:\n context: SIDECAR_OUTBOUND\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.tcp_proxy\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"metrics\": [\n {\n \"dimensions\": {\n \"source_cluster\": \"node.metadata['CLUSTER_ID']\",\n \"destination_cluster\": \"upstream_peer.cluster_id\"\n }\n }\n ]\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: tcp_stats_outbound\n - applyTo: NETWORK_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.filters.network.tcp_proxy\n proxy:\n proxyVersion: ^1\\.9.*\n patch:\n operation: INSERT_BEFORE\n value:\n name: istio.stats\n typed_config:\n '@type': type.googleapis.com/udpa.type.v1.TypedStruct\n type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm\n value:\n config:\n configuration:\n '@type': type.googleapis.com/google.protobuf.StringValue\n value: |\n {\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"metrics\": [\n {\n \"dimensions\": {\n \"source_cluster\": \"node.metadata['CLUSTER_ID']\",\n \"destination_cluster\": \"upstream_peer.cluster_id\"\n }\n }\n ]\n }\n root_id: stats_outbound\n vm_config:\n code:\n local:\n inline_string: envoy.wasm.stats\n runtime: envoy.wasm.runtime.null\n vm_id: tcp_stats_outbound\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n name: x-forwarded-host\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: envoy.http_connection_manager\n subFilter:\n name: envoy.router\n patch:\n operation: INSERT_BEFORE\n value:\n name: envoy.filters.http.lua\n typed_config:\n '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua\n inlineCode: |\n function envoy_on_request(request_handle)\n local host = request_handle:headers():get(\":authority\")\n request_handle:headers():add(\"x-forwarded-host\", host)\n end\n workloadSelector:\n labels:\n istio: ingressgateway\n---\napiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n labels:\n release: istio\n name: istio-ingressgateway\n namespace: istio-system\nspec:\n selector:\n app: istio-ingressgateway\n istio: ingressgateway\n servers:\n - hosts:\n - '*'\n port:\n name: http\n number: 80\n protocol: HTTP\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n name: global-deny-all\n namespace: istio-system\nspec: {}\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n name: istio-ingressgateway\n namespace: istio-system\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app: istio-ingressgateway\n istio: ingressgateway\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n labels:\n app: sidecar-injector\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istio-sidecar-injector\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n - v1\n clientConfig:\n caBundle: \"\"\n service:\n name: istiod\n namespace: istio-system\n path: /inject\n failurePolicy: Fail\n name: sidecar-injector.istio.io\n namespaceSelector:\n matchLabels:\n istio-injection: enabled\n objectSelector:\n matchExpressions:\n - key: sidecar.istio.io/inject\n operator: NotIn\n values:\n - \"false\"\n rules:\n - apiGroups:\n - \"\"\n apiVersions:\n - v1\n operations:\n - CREATE\n resources:\n - pods\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n labels:\n app: istiod\n istio: istiod\n release: istio\n name: istiod-istio-system\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n - v1\n clientConfig:\n caBundle: \"\"\n service:\n name: istiod\n namespace: istio-system\n path: /validate\n failurePolicy: Ignore\n name: validation.istio.io\n rules:\n - apiGroups:\n - security.istio.io\n - networking.istio.io\n apiVersions:\n - '*'\n operations:\n - CREATE\n - UPDATE\n resources:\n - '*'\n sideEffects: None\n"
},
{
"path": "manifest1.3/007-oidc-authservice-oidc-authservice-base.yaml",
"content": "apiVersion: v1\ndata:\n OIDC_AUTH_URL: /dex/auth\n OIDC_PROVIDER: http://dex.auth.svc.cluster.local:5556/dex\n OIDC_SCOPES: profile email groups\n PORT: '\"8080\"'\n REDIRECT_URL: /login/oidc\n SKIP_AUTH_URI: /dex\n STORE_PATH: /var/lib/authservice/data.db\n USERID_CLAIM: email\n USERID_HEADER: kubeflow-userid\n USERID_PREFIX: \"\"\nkind: ConfigMap\nmetadata:\n name: oidc-authservice-parameters\n namespace: istio-system\n---\napiVersion: v1\ndata:\n CLIENT_ID: a3ViZWZsb3ctb2lkYy1hdXRoc2VydmljZQ==\n CLIENT_SECRET: cFVCbkJPWTgwU25YZ2ppYlRZTTlaV056WTJ4cmVOR1Fvaw==\nkind: Secret\nmetadata:\n name: oidc-authservice-client\n namespace: istio-system\ntype: Opaque\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: authservice\n namespace: istio-system\nspec:\n ports:\n - name: http-authservice\n port: 8080\n targetPort: http-api\n publishNotReadyAddresses: true\n selector:\n app: authservice\n type: ClusterIP\n---\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: authservice-pvc\n namespace: istio-system\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 10Gi\n---\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: authservice\n namespace: istio-system\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: authservice\n serviceName: authservice\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: authservice\n spec:\n containers:\n - envFrom:\n - secretRef:\n name: oidc-authservice-client\n - configMapRef:\n name: oidc-authservice-parameters\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-oidc-authservice:28c59ef-c8870\n imagePullPolicy: Always\n name: authservice\n ports:\n - containerPort: 8080\n name: http-api\n readinessProbe:\n httpGet:\n path: /\n port: 8081\n volumeMounts:\n - mountPath: /var/lib/authservice\n name: data\n securityContext:\n fsGroup: 111\n volumes:\n - name: data\n persistentVolumeClaim:\n claimName: authservice-pvc\n---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n name: authn-filter\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n listener:\n filterChain:\n filter:\n name: envoy.http_connection_manager\n subFilter:\n name: \"\"\n match:\n context: GATEWAY\n patch:\n operation: INSERT_BEFORE\n value:\n name: envoy.filters.http.ext_authz\n typed_config:\n '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz\n http_service:\n authorization_request:\n allowed_headers:\n patterns:\n - exact: authorization\n - exact: cookie\n - exact: x-auth-token\n authorization_response:\n allowed_upstream_headers:\n patterns:\n - exact: kubeflow-userid\n server_uri:\n cluster: outbound|8080||authservice.istio-system.svc.cluster.local\n timeout: 10s\n uri: http://authservice.istio-system.svc.cluster.local\n workloadSelector:\n labels:\n istio: ingressgateway\n"
},
{
"path": "manifest1.3/008-dex-overlays-istio.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n name: auth\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: authcodes.dex.coreos.com\nspec:\n group: dex.coreos.com\n names:\n kind: AuthCode\n listKind: AuthCodeList\n plural: authcodes\n singular: authcode\n scope: Namespaced\n version: v1\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: dex\n namespace: auth\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n name: dex\nrules:\n- apiGroups:\n - dex.coreos.com\n resources:\n - '*'\n verbs:\n - '*'\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: dex\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: dex\nsubjects:\n- kind: ServiceAccount\n name: dex\n namespace: auth\n---\napiVersion: v1\ndata:\n config.yaml: |\n issuer: http://dex.auth.svc.cluster.local:5556/dex\n storage:\n type: kubernetes\n config:\n inCluster: true\n web:\n http: 0.0.0.0:5556\n logger:\n level: \"debug\"\n format: text\n oauth2:\n skipApprovalScreen: true\n enablePasswordDB: true\n staticPasswords:\n - email: user@example.com\n hash: $2y$12$4K/VkmDd1q1Orb3xAt82zu8gk7Ad6ReFR4LCP9UeYE90NLiN9Df72\n # https://github.com/dexidp/dex/pull/1601/commits\n # FIXME: Use hashFromEnv instead\n username: user\n userID: \"15841185641784\"\n staticClients:\n # https://github.com/dexidp/dex/pull/1664\n - idEnv: OIDC_CLIENT_ID\n redirectURIs: [\"/login/oidc\"]\n name: 'Dex Login Application'\n secretEnv: OIDC_CLIENT_SECRET\nkind: ConfigMap\nmetadata:\n name: dex\n namespace: auth\n---\napiVersion: v1\ndata:\n OIDC_CLIENT_ID: a3ViZWZsb3ctb2lkYy1hdXRoc2VydmljZQ==\n OIDC_CLIENT_SECRET: cFVCbkJPWTgwU25YZ2ppYlRZTTlaV056WTJ4cmVOR1Fvaw==\nkind: Secret\nmetadata:\n name: dex-oidc-client\n namespace: auth\ntype: Opaque\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: dex\n namespace: auth\nspec:\n ports:\n - name: dex\n nodePort: 32000\n port: 5556\n protocol: TCP\n targetPort: 5556\n selector:\n app: dex\n type: NodePort\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: dex\n name: dex\n namespace: auth\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: dex\n template:\n metadata:\n labels:\n app: dex\n spec:\n containers:\n - command:\n - dex\n - serve\n - /etc/dex/cfg/config.yaml\n envFrom:\n - secretRef:\n name: dex-oidc-client\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/dexidp-dex:v2.24.0-bb0b9\n name: dex\n ports:\n - containerPort: 5556\n name: http\n volumeMounts:\n - mountPath: /etc/dex/cfg\n name: config\n serviceAccountName: dex\n volumes:\n - configMap:\n items:\n - key: config.yaml\n path: config.yaml\n name: dex\n name: config\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n name: dex\n namespace: auth\nspec:\n gateways:\n - kubeflow/kubeflow-gateway\n hosts:\n - '*'\n http:\n - match:\n - uri:\n prefix: /dex/\n route:\n - destination:\n host: dex.auth.svc.cluster.local\n port:\n number: 5556\n"
},
{
"path": "manifest1.3/009-knative-knative-serving-crds-base.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n labels:\n serving.knative.dev/release: v0.14.3\n name: knative-serving\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: certificates.networking.internal.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n group: networking.internal.knative.dev\n names:\n categories:\n - knative-internal\n - networking\n kind: Certificate\n plural: certificates\n shortNames:\n - kcert\n singular: certificate\n scope: Namespaced\n subresources:\n status: {}\n version: v1alpha1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/podspecable: \"true\"\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: configurations.serving.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.latestCreatedRevisionName\n name: LatestCreated\n type: string\n - JSONPath: .status.latestReadyRevisionName\n name: LatestReady\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: webhook\n namespace: knative-serving\n group: serving.knative.dev\n names:\n categories:\n - all\n - knative\n - serving\n kind: Configuration\n plural: configurations\n shortNames:\n - config\n - cfg\n singular: configuration\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: false\n - name: v1beta1\n served: true\n storage: false\n - name: v1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n name: images.caching.internal.knative.dev\nspec:\n group: caching.internal.knative.dev\n names:\n categories:\n - knative-internal\n - caching\n kind: Image\n plural: images\n shortNames:\n - img\n singular: image\n scope: Namespaced\n subresources:\n status: {}\n version: v1alpha1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: ingresses.networking.internal.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n group: networking.internal.knative.dev\n names:\n categories:\n - knative-internal\n - networking\n kind: Ingress\n plural: ingresses\n shortNames:\n - kingress\n - king\n singular: ingress\n scope: Namespaced\n subresources:\n status: {}\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: metrics.autoscaling.internal.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n group: autoscaling.internal.knative.dev\n names:\n categories:\n - knative-internal\n - autoscaling\n kind: Metric\n plural: metrics\n singular: metric\n scope: Namespaced\n subresources:\n status: {}\n version: v1alpha1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: podautoscalers.autoscaling.internal.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.desiredScale\n name: DesiredScale\n type: integer\n - JSONPath: .status.actualScale\n name: ActualScale\n type: integer\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n group: autoscaling.internal.knative.dev\n names:\n categories:\n - knative-internal\n - autoscaling\n kind: PodAutoscaler\n plural: podautoscalers\n shortNames:\n - kpa\n - pa\n singular: podautoscaler\n scope: Namespaced\n subresources:\n status: {}\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: revisions.serving.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .metadata.labels['serving\\.knative\\.dev/configuration']\n name: Config Name\n type: string\n - JSONPath: .status.serviceName\n name: K8s Service Name\n type: string\n - JSONPath: .metadata.labels['serving\\.knative\\.dev/configurationGeneration']\n name: Generation\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: webhook\n namespace: knative-serving\n group: serving.knative.dev\n names:\n categories:\n - all\n - knative\n - serving\n kind: Revision\n plural: revisions\n shortNames:\n - rev\n singular: revision\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: false\n - name: v1beta1\n served: true\n storage: false\n - name: v1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: routes.serving.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.url\n name: URL\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: webhook\n namespace: knative-serving\n group: serving.knative.dev\n names:\n categories:\n - all\n - knative\n - serving\n kind: Route\n plural: routes\n shortNames:\n - rt\n singular: route\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: false\n - name: v1beta1\n served: true\n storage: false\n - name: v1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: serverlessservices.networking.internal.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.mode\n name: Mode\n type: string\n - JSONPath: .spec.numActivators\n name: Activators\n type: integer\n - JSONPath: .status.serviceName\n name: ServiceName\n type: string\n - JSONPath: .status.privateServiceName\n name: PrivateServiceName\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n group: networking.internal.knative.dev\n names:\n categories:\n - knative-internal\n - networking\n kind: ServerlessService\n plural: serverlessservices\n shortNames:\n - sks\n singular: serverlessservice\n scope: Namespaced\n subresources:\n status: {}\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n duck.knative.dev/podspecable: \"true\"\n knative.dev/crd-install: \"true\"\n serving.knative.dev/release: v0.14.3\n name: services.serving.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.url\n name: URL\n type: string\n - JSONPath: .status.latestCreatedRevisionName\n name: LatestCreated\n type: string\n - JSONPath: .status.latestReadyRevisionName\n name: LatestReady\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: webhook\n namespace: knative-serving\n group: serving.knative.dev\n names:\n categories:\n - all\n - knative\n - serving\n kind: Service\n plural: services\n shortNames:\n - kservice\n - ksvc\n singular: service\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: false\n - name: v1beta1\n served: true\n storage: false\n - name: v1\n served: true\n storage: true\n"
},
{
"path": "manifest1.3/010-knative-knative-serving-install-base.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: controller\n namespace: knative-serving\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n duck.knative.dev/addressable: \"true\"\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: knative-serving-addressable-resolver\nrules:\n- apiGroups:\n - serving.knative.dev\n resources:\n - routes\n - routes/status\n - services\n - services/status\n verbs:\n - get\n - list\n - watch\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n serving.knative.dev/controller: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: knative-serving-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/controller: \"true\"\n serving.knative.dev/release: v0.14.3\n name: knative-serving-core\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - namespaces\n - secrets\n - configmaps\n - endpoints\n - services\n - events\n - serviceaccounts\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - \"\"\n resources:\n - endpoints/restricted\n verbs:\n - create\n- apiGroups:\n - apps\n resources:\n - deployments\n - deployments/finalizers\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - mutatingwebhookconfigurations\n - validatingwebhookconfigurations\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n - customresourcedefinitions/status\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - autoscaling\n resources:\n - horizontalpodautoscalers\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - coordination.k8s.io\n resources:\n - leases\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - serving.knative.dev\n - autoscaling.internal.knative.dev\n - networking.internal.knative.dev\n resources:\n - '*'\n - '*/status'\n - '*/finalizers'\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - deletecollection\n - patch\n - watch\n- apiGroups:\n - caching.internal.knative.dev\n resources:\n - images\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n networking.knative.dev/ingress-provider: istio\n serving.knative.dev/controller: \"true\"\n serving.knative.dev/release: v0.14.3\n name: knative-serving-istio\nrules:\n- apiGroups:\n - networking.istio.io\n resources:\n - virtualservices\n - gateways\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n serving.knative.dev/release: v0.14.3\n name: knative-serving-namespaced-admin\nrules:\n- apiGroups:\n - serving.knative.dev\n - networking.internal.knative.dev\n - autoscaling.internal.knative.dev\n - caching.internal.knative.dev\n resources:\n - '*'\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n serving.knative.dev/release: v0.14.3\n name: knative-serving-namespaced-edit\nrules:\n- apiGroups:\n - serving.knative.dev\n - networking.internal.knative.dev\n - autoscaling.internal.knative.dev\n - caching.internal.knative.dev\n resources:\n - '*'\n verbs:\n - create\n - update\n - patch\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n serving.knative.dev/release: v0.14.3\n name: knative-serving-namespaced-view\nrules:\n- apiGroups:\n - serving.knative.dev\n - networking.internal.knative.dev\n - autoscaling.internal.knative.dev\n - caching.internal.knative.dev\n resources:\n - '*'\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n duck.knative.dev/podspecable: \"true\"\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: knative-serving-podspecable-binding\nrules:\n- apiGroups:\n - serving.knative.dev\n resources:\n - configurations\n - services\n verbs:\n - list\n - watch\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: knative-serving-controller-admin\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: knative-serving-admin\nsubjects:\n- kind: ServiceAccount\n name: controller\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # The Revision ContainerConcurrency field specifies the maximum number\n # of requests the Container can handle at once. Container concurrency\n # target percentage is how much of that maximum to use in a stable\n # state. E.g. if a Revision specifies ContainerConcurrency of 10, then\n # the Autoscaler will try to maintain 7 concurrent connections per pod\n # on average.\n # Note: this limit will be applied to container concurrency set at every\n # level (ConfigMap, Revision Spec or Annotation).\n # For legacy and backwards compatibility reasons, this value also accepts\n # fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%).\n # Thus minimal percentage value must be greater than 1.0, or it will be\n # treated as a fraction.\n # NOTE: that this value does not affect actual number of concurrent requests\n # the user container may receive, but only the average number of requests\n # that the revision pods will receive.\n container-concurrency-target-percentage: \"70\"\n\n # The container concurrency target default is what the Autoscaler will\n # try to maintain when concurrency is used as the scaling metric for the\n # Revision and the Revision specifies unlimited concurrency.\n # When revision explicitly specifies container concurrency, that value\n # will be used as a scaling target for autoscaler.\n # When specifying unlimited concurrency, the autoscaler will\n # horizontally scale the application based on this target concurrency.\n # This is what we call \"soft limit\" in the documentation, i.e. it only\n # affects number of pods and does not affect the number of requests\n # individual pod processes.\n # The value must be a positive number such that the value multiplied\n # by container-concurrency-target-percentage is greater than 0.01.\n # NOTE: that this value will be adjusted by application of\n # container-concurrency-target-percentage, i.e. by default\n # the system will target on average 70 concurrent requests\n # per revision pod.\n # NOTE: Only one metric can be used for autoscaling a Revision.\n container-concurrency-target-default: \"100\"\n\n # The requests per second (RPS) target default is what the Autoscaler will\n # try to maintain when RPS is used as the scaling metric for a Revision and\n # the Revision specifies unlimited RPS. Even when specifying unlimited RPS,\n # the autoscaler will horizontally scale the application based on this\n # target RPS.\n # Must be greater than 1.0.\n # NOTE: Only one metric can be used for autoscaling a Revision.\n requests-per-second-target-default: \"200\"\n\n # The target burst capacity specifies the size of burst in concurrent\n # requests that the system operator expects the system will receive.\n # Autoscaler will try to protect the system from queueing by introducing\n # Activator in the request path if the current spare capacity of the\n # service is less than this setting.\n # If this setting is 0, then Activator will be in the request path only\n # when the revision is scaled to 0.\n # If this setting is > 0 and container-concurrency-target-percentage is\n # 100% or 1.0, then activator will always be in the request path.\n # -1 denotes unlimited target-burst-capacity and activator will always\n # be in the request path.\n # Other negative values are invalid.\n target-burst-capacity: \"200\"\n\n # When operating in a stable mode, the autoscaler operates on the\n # average concurrency over the stable window.\n # Stable window must be in whole seconds.\n stable-window: \"60s\"\n\n # When observed average concurrency during the panic window reaches\n # panic-threshold-percentage the target concurrency, the autoscaler\n # enters panic mode. When operating in panic mode, the autoscaler\n # scales on the average concurrency over the panic window which is\n # panic-window-percentage of the stable-window.\n # When computing the panic window it will be rounded to the closest\n # whole second.\n panic-window-percentage: \"10.0\"\n\n # The percentage of the container concurrency target at which to\n # enter panic mode when reached within the panic window.\n panic-threshold-percentage: \"200.0\"\n\n # Max scale up rate limits the rate at which the autoscaler will\n # increase pod count. It is the maximum ratio of desired pods versus\n # observed pods.\n # Cannot be less or equal to 1.\n # I.e with value of 2.0 the number of pods can at most go N to 2N\n # over single Autoscaler period (see tick-interval), but at least N to\n # N+1, if Autoscaler needs to scale up.\n max-scale-up-rate: \"1000.0\"\n\n # Max scale down rate limits the rate at which the autoscaler will\n # decrease pod count. It is the maximum ratio of observed pods versus\n # desired pods.\n # Cannot be less or equal to 1.\n # I.e. with value of 2.0 the number of pods can at most go N to N/2\n # over single Autoscaler evaluation period (see tick-interval), but at\n # least N to N-1, if Autoscaler needs to scale down.\n max-scale-down-rate: \"2.0\"\n\n # Scale to zero feature flag\n enable-scale-to-zero: \"true\"\n\n # Tick interval is the time between autoscaling calculations.\n tick-interval: \"2s\"\n\n # Scale to zero grace period is the time an inactive revision is left\n # running before it is scaled to zero (min: 6s).\n scale-to-zero-grace-period: \"30s\"\n\n # Enable graceful scaledown feature flag.\n # Once enabled, it allows the autoscaler to prioritize pods processing\n # fewer (or zero) requests for removal when scaling down.\n enable-graceful-scaledown: \"false\"\n\n # pod-autoscaler-class specifies the default pod autoscaler class\n # that should be used if none is specified. If omitted, the Knative\n # Horizontal Pod Autoscaler (KPA) is used by default.\n pod-autoscaler-class: \"kpa.autoscaling.knative.dev\"\n\n # The capacity of a single activator task.\n # The `unit` is one concurrent request proxied by the activator.\n # activator-capacity must be at least 1.\n # This value is used for computation of the Activator subset size.\n # See the algorithm here: http://bit.ly/38XiCZ3.\n # TODO(vagababov): tune after actual benchmarking.\n activator-capacity: \"100.0\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-autoscaler\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # revision-timeout-seconds contains the default number of\n # seconds to use for the revision's per-request timeout, if\n # none is specified.\n revision-timeout-seconds: \"300\" # 5 minutes\n\n # max-revision-timeout-seconds contains the maximum number of\n # seconds that can be used for revision-timeout-seconds.\n # This value must be greater than or equal to revision-timeout-seconds.\n # If omitted, the system default is used (600 seconds).\n max-revision-timeout-seconds: \"600\" # 10 minutes\n\n # revision-cpu-request contains the cpu allocation to assign\n # to revisions by default. If omitted, no value is specified\n # and the system default is used.\n revision-cpu-request: \"400m\" # 0.4 of a CPU (aka 400 milli-CPU)\n\n # revision-memory-request contains the memory allocation to assign\n # to revisions by default. If omitted, no value is specified\n # and the system default is used.\n revision-memory-request: \"100M\" # 100 megabytes of memory\n\n # revision-cpu-limit contains the cpu allocation to limit\n # revisions to by default. If omitted, no value is specified\n # and the system default is used.\n revision-cpu-limit: \"1000m\" # 1 CPU (aka 1000 milli-CPU)\n\n # revision-memory-limit contains the memory allocation to limit\n # revisions to by default. If omitted, no value is specified\n # and the system default is used.\n revision-memory-limit: \"200M\" # 200 megabytes of memory\n\n # container-name-template contains a template for the default\n # container name, if none is specified. This field supports\n # Go templating and is supplied with the ObjectMeta of the\n # enclosing Service or Configuration, so values such as\n # {{.Name}} are also valid.\n container-name-template: \"user-container\"\n\n # container-concurrency specifies the maximum number\n # of requests the Container can handle at once, and requests\n # above this threshold are queued. Setting a value of zero\n # disables this throttling and lets through as many requests as\n # the pod receives.\n container-concurrency: \"0\"\n\n # The container concurrency max limit is an operator setting ensuring that\n # the individual revisions cannot have arbitrary large concurrency\n # values, or autoscaling targets. `container-concurrency` default setting\n # must be at or below this value.\n # Must be greater than 1.\n container-concurrency-max-limit: \"1000\"\n\n # feature flag indicates whether to enable multi container support or not\n enable-multi-container: \"false\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-defaults\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # List of repositories for which tag to digest resolving should be skipped\n registriesSkippingTagResolving: \"ko.local,dev.local\"\n queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:d066ae5b642885827506610ae25728d442ce11447b82df6e9cc4c174bb97ecb3\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-deployment\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # Default value for domain.\n # Although it will match all routes, it is the least-specific rule so it\n # will only be used if no other domain matches.\n example.com: |\n\n # These are example settings of domain.\n # example.org will be used for routes having app=nonprofit.\n example.org: |\n selector:\n app: nonprofit\n\n # Routes having domain suffix of 'svc.cluster.local' will not be exposed\n # through Ingress. You can define your own label selector to assign that\n # domain suffix to your Route here, or you can set the label\n # \"serving.knative.dev/visibility=cluster-local\"\n # to achieve the same effect. This shows how to make routes having\n # the label app=secret only exposed to the local cluster.\n svc.cluster.local: |\n selector:\n app: secret\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-domain\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # Delay after revision creation before considering it for GC\n stale-revision-create-delay: \"48h\"\n\n # Duration since a route has pointed at the revision before it\n # should be GC'd.\n # This minus lastpinned-debounce must be longer than the controller\n # resync period (10 hours).\n stale-revision-timeout: \"15h\"\n\n # Minimum number of generations of revisions to keep before considering\n # them for GC\n stale-revision-minimum-generations: \"20\"\n\n # To avoid constant updates, we allow an existing annotation to be stale by this\n # amount before we update the timestamp.\n stale-revision-lastpinned-debounce: \"5h\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-gc\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # Default Knative Gateway after v0.3. It points to the Istio\n # standard istio-ingressgateway, instead of a custom one that we\n # used pre-0.3. The configuration format should be `gateway.\n # {{gateway_namespace}}.{{gateway_name}}: \"{{ingress_name}}.\n # {{ingress_namespace}}.svc.cluster.local\"`. The {{gateway_namespace}}\n # is optional; when it is omitted, the system will search for\n # the gateway in the serving system namespace `knative-serving`\n gateway.knative-serving.knative-ingress-gateway: \"istio-ingressgateway.istio-system.svc.cluster.local\"\n\n # A cluster local gateway to allow pods outside of the mesh to access\n # Services and Routes not exposing through an ingress. If the users\n # do have a service mesh setup, this isn't required and can be removed.\n #\n # An example use case is when users want to use Istio without any\n # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod\n # is outside of the service mesh in that case, a cluster-local service\n # will need to be exposed to a cluster-local gateway to be accessible.\n # The configuration format should be `local-gateway.{{local_gateway_namespace}}.\n # {{local_gateway_name}}: \"{{cluster_local_gateway_name}}.\n # {{cluster_local_gateway_namespace}}.svc.cluster.local\"`. The\n # {{local_gateway_namespace}} is optional; when it is omitted, the system\n # will search for the local gateway in the serving system namespace\n # `knative-serving`\n local-gateway.knative-serving.cluster-local-gateway: \"cluster-local-gateway.istio-system.svc.cluster.local\"\n\n # To use only Istio service mesh and no cluster-local-gateway, replace\n # all local-gateway.* entries by the following entry.\n local-gateway.mesh: \"mesh\"\n gateway.kubeflow.kubeflow-gateway: istio-ingressgateway.istio-system.svc.cluster.local\n local-gateway.knative-serving.cluster-local-gateway: cluster-local-gateway.istio-system.svc.cluster.local\n local-gateway.mesh: mesh\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n networking.knative.dev/ingress-provider: istio\n serving.knative.dev/release: v0.14.3\n name: config-istio\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # resourceLock controls which API resource is used as the basis for the\n # leader election lock. Valid values are:\n #\n # - leases -> use the coordination API\n # - configmaps -> use configmaps\n # - endpoints -> use endpoints\n resourceLock: \"leases\"\n\n # leaseDuration is how long non-leaders will wait to try to acquire the\n # lock; 15 seconds is the value used by core kubernetes controllers.\n leaseDuration: \"15s\"\n # renewDeadline is how long a leader will try to renew the lease before\n # giving up; 10 seconds is the value used by core kubernetes controllers.\n renewDeadline: \"10s\"\n # retryPeriod is how long the leader election client waits between tries of\n # actions; 2 seconds is the value used by core kubernetes controllers.\n retryPeriod: \"2s\"\n # enabledComponents is a comma-delimited list of component names for which\n # leader election is enabled. Valid values are:\n #\n # - controller\n # - hpaautoscaler\n # - certcontroller\n # - istiocontroller\n # - nscontroller\n enabledComponents: \"controller,hpaautoscaler,certcontroller,istiocontroller,nscontroller\"\n leaseDuration: 15s\n renewDeadline: 10s\n resourceLock: leases\n retryPeriod: 2s\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-leader-election\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # Common configuration for all Knative codebase\n zap-logger-config: |\n {\n \"level\": \"info\",\n \"development\": false,\n \"outputPaths\": [\"stdout\"],\n \"errorOutputPaths\": [\"stderr\"],\n \"encoding\": \"json\",\n \"encoderConfig\": {\n \"timeKey\": \"ts\",\n \"levelKey\": \"level\",\n \"nameKey\": \"logger\",\n \"callerKey\": \"caller\",\n \"messageKey\": \"msg\",\n \"stacktraceKey\": \"stacktrace\",\n \"lineEnding\": \"\",\n \"levelEncoder\": \"\",\n \"timeEncoder\": \"iso8601\",\n \"durationEncoder\": \"\",\n \"callerEncoder\": \"\"\n }\n }\n\n # Log level overrides\n # For all components except the autoscaler and queue proxy,\n # changes are be picked up immediately.\n # For autoscaler and queue proxy, changes require recreation of the pods.\n loglevel.controller: \"info\"\n loglevel.autoscaler: \"info\"\n loglevel.queueproxy: \"info\"\n loglevel.webhook: \"info\"\n loglevel.activator: \"info\"\n loglevel.hpaautoscaler: \"info\"\n loglevel.certcontroller: \"info\"\n loglevel.istiocontroller: \"info\"\n loglevel.nscontroller: \"info\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-logging\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # DEPRECATED:\n # istio.sidecar.includeOutboundIPRanges is obsolete.\n # The current versions have outbound network access enabled by default.\n # If you need this option for some reason, please use global.proxy.includeIPRanges in Istio.\n #\n # istio.sidecar.includeOutboundIPRanges: \"*\"\n\n # ingress.class specifies the default ingress class\n # to use when not dictated by Route annotation.\n #\n # If not specified, will use the Istio ingress.\n #\n # Note that changing the Ingress class of an existing Route\n # will result in undefined behavior. Therefore it is best to only\n # update this value during the setup of Knative, to avoid getting\n # undefined behavior.\n ingress.class: \"istio.ingress.networking.knative.dev\"\n\n # certificate.class specifies the default Certificate class\n # to use when not dictated by Route annotation.\n #\n # If not specified, will use the Cert-Manager Certificate.\n #\n # Note that changing the Certificate class of an existing Route\n # will result in undefined behavior. Therefore it is best to only\n # update this value during the setup of Knative, to avoid getting\n # undefined behavior.\n certificate.class: \"cert-manager.certificate.networking.knative.dev\"\n\n # domainTemplate specifies the golang text template string to use\n # when constructing the Knative service's DNS name. The default\n # value is \"{{.Name}}.{{.Namespace}}.{{.Domain}}\". And those three\n # values (Name, Namespace, Domain) are the only variables defined.\n #\n # Changing this value might be necessary when the extra levels in\n # the domain name generated is problematic for wildcard certificates\n # that only support a single level of domain name added to the\n # certificate's domain. In those cases you might consider using a value\n # of \"{{.Name}}-{{.Namespace}}.{{.Domain}}\", or removing the Namespace\n # entirely from the template. When choosing a new value be thoughtful\n # of the potential for conflicts - for example, when users choose to use\n # characters such as `-` in their service, or namespace, names.\n # {{.Annotations}} can be used for any customization in the go template if needed.\n # We strongly recommend keeping namespace part of the template to avoid domain name clashes\n # Example '{{.Name}}-{{.Namespace}}.{{ index .Annotations \"sub\"}}.{{.Domain}}'\n # and you have an annotation {\"sub\":\"foo\"}, then the generated template would be {Name}-{Namespace}.foo.{Domain}\n domainTemplate: \"{{.Name}}.{{.Namespace}}.{{.Domain}}\"\n\n # tagTemplate specifies the golang text template string to use\n # when constructing the DNS name for \"tags\" within the traffic blocks\n # of Routes and Configuration. This is used in conjunction with the\n # domainTemplate above to determine the full URL for the tag.\n tagTemplate: \"{{.Tag}}-{{.Name}}\"\n\n # Controls whether TLS certificates are automatically provisioned and\n # installed in the Knative ingress to terminate external TLS connection.\n # 1. Enabled: enabling auto-TLS feature.\n # 2. Disabled: disabling auto-TLS feature.\n autoTLS: \"Disabled\"\n\n # Controls the behavior of the HTTP endpoint for the Knative ingress.\n # It requires autoTLS to be enabled.\n # 1. Enabled: The Knative ingress will be able to serve HTTP connection.\n # 2. Disabled: The Knative ingress will reject HTTP traffic.\n # 3. Redirected: The Knative ingress will send a 302 redirect for all\n # http connections, asking the clients to use HTTPS\n httpProtocol: \"Enabled\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-network\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################ # # # EXAMPLE CONFIGURATION # # # ################################\n\n # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. #\n # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration.\n # logging.enable-var-log-collection defaults to false. # The fluentd daemon set will be set up to collect /var/log if # this flag is true. logging.enable-var-log-collection: \"false\"\n # logging.revision-url-template provides a template to use for producing the # logging URL that is injected into the status of each Revision. # This value is what you might use the the Knative monitoring bundle, and provides # access to Kibana after setting up kubectl proxy. logging.revision-url-template: |\n http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.serving-knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase))))\n\n # If non-empty, this enables queue proxy writing user request logs to stdout, excluding probe # requests. # The value determines the shape of the request logs and it must be a valid go text/template. # It is important to keep this as a single line. Multiple lines are parsed as separate entities # by most collection agents and will split the request logs into multiple records. # # The following fields and functions are available to the template: # # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) # representing an HTTP request received by the server. # # Response: # struct { # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) # Size int // An int representing the size of the response. # Latency float64 // A float64 representing the latency of the response in seconds. # } # # Revision: # struct { # Name string // Knative revision name # Namespace string // Knative revision namespace # Service string // Knative service name # Configuration string // Knative configuration name # PodName string // Name of the pod hosting the revision # PodIP string // IP of the pod hosting the revision # } # logging.request-log-template: '{\"httpRequest\": {\"requestMethod\": \"{{.Request.Method}}\", \"requestUrl\": \"{{js .Request.RequestURI}}\", \"requestSize\": \"{{.Request.ContentLength}}\", \"status\": {{.Response.Code}}, \"responseSize\": \"{{.Response.Size}}\", \"userAgent\": \"{{js .Request.UserAgent}}\", \"remoteIp\": \"{{js .Request.RemoteAddr}}\", \"serverIp\": \"{{.Revision.PodIP}}\", \"referer\": \"{{js .Request.Referer}}\", \"latency\": \"{{.Response.Latency}}s\", \"protocol\": \"{{.Request.Proto}}\"}, \"traceId\": \"{{index .Request.Header \"X-B3-Traceid\"}}\"}'\n # If true, this enables queue proxy writing request logs for probe requests to stdout. # It uses the same template for user requests, i.e. logging.request-log-template. logging.enable-probe-request-log: \"false\"\n # metrics.backend-destination field specifies the system metrics destination. # It supports either prometheus (the default) or stackdriver. # Note: Using stackdriver will incur additional charges metrics.backend-destination: prometheus\n # metrics.request-metrics-backend-destination specifies the request metrics # destination. It enables queue proxy to send request metrics. # Currently supported values: prometheus (the default), stackdriver. metrics.request-metrics-backend-destination: prometheus\n # metrics.stackdriver-project-id field specifies the stackdriver project ID. This # field is optional. When running on GCE, application default credentials will be # used if this field is not provided. metrics.stackdriver-project-id: \"\"\n # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to # Stackdriver using \"global\" resource type and custom metric type if the # metrics are not supported by \"knative_revision\" resource type. Setting this # flag to \"true\" could cause extra Stackdriver charge. # If metrics.backend-destination is not Stackdriver, this is ignored. metrics.allow-stackdriver-custom-metrics: \"false\"\n # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from # the pods via an HTTP server in the format expected by the pprof visualization tool. When # enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008. # The HTTP context root for profiling is then /debug/pprof/. profiling.enable: \"false\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-observability\n namespace: knative-serving\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n #\n # This may be \"zipkin\" or \"stackdriver\", the default is \"none\"\n backend: \"none\"\n\n # URL to zipkin collector where traces are sent.\n # This must be specified when backend is \"zipkin\"\n zipkin-endpoint: \"http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans\"\n\n # The GCP project into which stackdriver metrics will be written\n # when backend is \"stackdriver\". If unspecified, the project-id\n # is read from GCP metadata when running on GCP.\n stackdriver-project-id: \"my-project\"\n\n # Enable zipkin debug mode. This allows all spans to be sent to the server\n # bypassing sampling.\n debug: \"false\"\n\n # Percentage (0-1) of requests to trace\n sample-rate: \"0.1\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-tracing\n namespace: knative-serving\n---\napiVersion: v1\nkind: Secret\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: istio-webhook-certs\n namespace: knative-serving\n---\napiVersion: v1\nkind: Secret\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: webhook-certs\n namespace: knative-serving\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: activator\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: activator-service\n namespace: knative-serving\nspec:\n ports:\n - name: http\n port: 80\n targetPort: 8012\n - name: http2\n port: 81\n targetPort: 8013\n - name: http-profiling\n port: 8008\n targetPort: 8008\n - name: http-metrics\n port: 9090\n targetPort: 9090\n selector:\n app: activator\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n type: ClusterIP\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: autoscaler\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: autoscaler\n namespace: knative-serving\nspec:\n ports:\n - name: http\n port: 8080\n targetPort: 8080\n - name: http-profiling\n port: 8008\n targetPort: 8008\n - name: http-metrics\n port: 9090\n targetPort: 9090\n - name: https-custom-metrics\n port: 443\n targetPort: 8443\n selector:\n app: autoscaler\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: controller\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: controller\n namespace: knative-serving\nspec:\n ports:\n - name: http-profiling\n port: 8008\n targetPort: 8008\n - name: http-metrics\n port: 9090\n targetPort: 9090\n selector:\n app: controller\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: istio-webhook\n serving.knative.dev/release: v0.14.3\n name: istio-webhook\n namespace: knative-serving\nspec:\n ports:\n - name: http-metrics\n port: 9090\n targetPort: 9090\n - name: http-profiling\n port: 8008\n targetPort: 8008\n - name: https-webhook\n port: 443\n targetPort: 8443\n selector:\n app: istio-webhook\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: webhook\n serving.knative.dev/release: v0.14.3\n name: webhook\n namespace: knative-serving\nspec:\n ports:\n - name: http-metrics\n port: 9090\n targetPort: 9090\n - name: http-profiling\n port: 8008\n targetPort: 8008\n - name: https-webhook\n port: 443\n targetPort: 8443\n selector:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: webhook\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: activator\n namespace: knative-serving\nspec:\n selector:\n matchLabels:\n app: activator\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: activator\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"false\"\n labels:\n app: activator\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: activator\n serving.knative.dev/release: v0.14.3\n spec:\n containers:\n - env:\n - name: GOGC\n value: \"500\"\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/internal/serving\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-activator:special-3208b\n livenessProbe:\n httpGet:\n httpHeaders:\n - name: k-kubelet-probe\n value: activator\n port: 8012\n name: activator\n ports:\n - containerPort: 8012\n name: http1\n - containerPort: 8013\n name: h2c\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n readinessProbe:\n httpGet:\n httpHeaders:\n - name: k-kubelet-probe\n value: activator\n port: 8012\n resources:\n limits:\n cpu: 1000m\n memory: 600Mi\n requests:\n cpu: 300m\n memory: 60Mi\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: controller\n terminationGracePeriodSeconds: 300\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: autoscaler\n namespace: knative-serving\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: autoscaler\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"false\"\n labels:\n app: autoscaler\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n spec:\n containers:\n - args:\n - --secure-port=8443\n - --cert-dir=/tmp\n env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/serving\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-autoscaler:special-4578f\n livenessProbe:\n httpGet:\n httpHeaders:\n - name: k-kubelet-probe\n value: autoscaler\n port: 8080\n name: autoscaler\n ports:\n - containerPort: 8080\n name: websocket\n - containerPort: 9090\n name: metrics\n - containerPort: 8443\n name: custom-metrics\n - containerPort: 8008\n name: profiling\n readinessProbe:\n httpGet:\n httpHeaders:\n - name: k-kubelet-probe\n value: autoscaler\n port: 8080\n resources:\n limits:\n cpu: 300m\n memory: 400Mi\n requests:\n cpu: 30m\n memory: 40Mi\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: controller\n namespace: knative-serving\nspec:\n selector:\n matchLabels:\n app: controller\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: controller\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/internal/serving\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-controller:special-9f8e4\n name: controller\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n resources:\n limits:\n cpu: 1000m\n memory: 1000Mi\n requests:\n cpu: 100m\n memory: 100Mi\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: istio-webhook\n namespace: knative-serving\nspec:\n selector:\n matchLabels:\n app: istio-webhook\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: istio-webhook\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"false\"\n labels:\n app: istio-webhook\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: istio-webhook\n serving.knative.dev/release: v0.14.3\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/net-istio\n - name: WEBHOOK_NAME\n value: istio-webhook\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-webhook:special-6749b\n name: webhook\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n - containerPort: 8443\n name: https-webhook\n resources:\n limits:\n cpu: 200m\n memory: 200Mi\n requests:\n cpu: 20m\n memory: 20Mi\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n networking.knative.dev/ingress-provider: istio\n serving.knative.dev/release: v0.14.3\n name: networking-istio\n namespace: knative-serving\nspec:\n selector:\n matchLabels:\n app: networking-istio\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: networking-istio\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/net-istio\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-controller:special-ba7fa\n name: networking-istio\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n resources:\n limits:\n cpu: 300m\n memory: 400Mi\n requests:\n cpu: 30m\n memory: 40Mi\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: webhook\n namespace: knative-serving\nspec:\n selector:\n matchLabels:\n app: webhook\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: webhook\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"false\"\n labels:\n app: webhook\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: webhook\n serving.knative.dev/release: v0.14.3\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/serving\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-webhook:special-d1b48\n name: webhook\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n - containerPort: 8443\n name: https-webhook\n resources:\n limits:\n cpu: 200m\n memory: 200Mi\n requests:\n cpu: 20m\n memory: 20Mi\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: controller\n---\napiVersion: autoscaling/v2beta1\nkind: HorizontalPodAutoscaler\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: activator\n namespace: knative-serving\nspec:\n maxReplicas: 20\n metrics:\n - resource:\n name: cpu\n targetAverageUtilization: 100\n type: Resource\n minReplicas: 1\n scaleTargetRef:\n apiVersion: apps/v1\n kind: Deployment\n name: activator\n---\napiVersion: caching.internal.knative.dev/v1alpha1\nkind: Image\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: queue-proxy\n namespace: knative-serving\nspec:\n image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:d066ae5b642885827506610ae25728d442ce11447b82df6e9cc4c174bb97ecb3\n---\napiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n name: knative\n namespace: knative-serving\nspec:\n host: '*.knative-serving.svc.cluster.local'\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\napiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n networking.knative.dev/ingress-provider: istio\n serving.knative.dev/release: v0.14.3\n name: cluster-local-gateway\n namespace: knative-serving\nspec:\n selector:\n istio: cluster-local-gateway\n servers:\n - hosts:\n - '*'\n port:\n name: http\n number: 80\n protocol: HTTP\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n name: activator-service\n namespace: knative-serving\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app: activator\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n name: autoscaler\n namespace: knative-serving\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app: autoscaler\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n name: controller\n namespace: knative-serving\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app: controller\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n name: istio-webhook\n namespace: knative-serving\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app: istio-webhook\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n name: webhook\n namespace: knative-serving\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n role: webhook\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: webhook.istio.networking.internal.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: istio-webhook\n namespace: knative-serving\n failurePolicy: Fail\n name: webhook.istio.networking.internal.knative.dev\n objectSelector:\n matchExpressions:\n - key: serving.knative.dev/configuration\n operator: Exists\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: webhook.serving.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: webhook\n namespace: knative-serving\n failurePolicy: Fail\n name: webhook.serving.knative.dev\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config.webhook.istio.networking.internal.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: istio-webhook\n namespace: knative-serving\n failurePolicy: Fail\n name: config.webhook.istio.networking.internal.knative.dev\n namespaceSelector:\n matchExpressions:\n - key: serving.knative.dev/release\n operator: Exists\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config.webhook.serving.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: webhook\n namespace: knative-serving\n failurePolicy: Fail\n name: config.webhook.serving.knative.dev\n namespaceSelector:\n matchExpressions:\n - key: serving.knative.dev/release\n operator: Exists\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: validation.webhook.serving.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: webhook\n namespace: knative-serving\n failurePolicy: Fail\n name: validation.webhook.serving.knative.dev\n sideEffects: None\n"
},
{
"path": "manifest1.3/011-knative-knative-eventing-crds-base.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n name: knative-eventing\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n registry.knative.dev/eventTypes: |\n [\n { \"type\": \"dev.knative.apiserver.resource.add\" },\n { \"type\": \"dev.knative.apiserver.resource.delete\" },\n { \"type\": \"dev.knative.apiserver.resource.update\" },\n { \"type\": \"dev.knative.apiserver.ref.add\" },\n { \"type\": \"dev.knative.apiserver.ref.delete\" },\n { \"type\": \"dev.knative.apiserver.ref.update\" }\n ]\n creationTimestamp: null\n labels:\n duck.knative.dev/source: \"true\"\n eventing.knative.dev/release: v0.14.2\n eventing.knative.dev/source: \"true\"\n knative.dev/crd-install: \"true\"\n name: apiserversources.sources.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n - JSONPath: .status.sinkUri\n name: Sink\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: sources.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n - sources\n kind: ApiServerSource\n plural: apiserversources\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1alpha2\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: brokers.eventing.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .status.address.url\n name: URL\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: eventing.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n kind: Broker\n plural: brokers\n singular: broker\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n messaging.knative.dev/subscribable: \"true\"\n name: channels.messaging.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .status.address.url\n name: URL\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: messaging.knative.dev\n names:\n categories:\n - all\n - knative\n - messaging\n - channel\n kind: Channel\n plural: channels\n shortNames:\n - ch\n singular: channel\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n versions:\n - name: v1alpha1\n schema:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n channelTemplate:\n description: 'Channel implementation which dictates the durability guarantees of events. If not specified then the default channel is used. More information: https://knative.dev/docs/eventing/channels/default-channels.'\n properties:\n apiVersion:\n description: API version of the channel implementation.\n minLength: 1\n type: string\n kind:\n description: Kind of the channel implementation to use (InMemoryChannel, KafkaChannel, etc.).\n minLength: 1\n type: string\n spec:\n type: object\n required:\n - apiVersion\n - kind\n type: object\n subscribable:\n properties:\n subscribers:\n description: Events received on the channel are forwarded to its subscribers.\n items:\n properties:\n ref:\n description: a reference to a Kubernetes object from which to retrieve the target URI.\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n name:\n minLength: 1\n type: string\n namespace:\n minLength: 1\n type: string\n uid:\n minLength: 1\n type: string\n required:\n - namespace\n - name\n - uid\n type: object\n x-kubernetes-preserve-unknown-fields: true\n replyURI:\n description: Endpoint for the reply.\n minLength: 1\n type: string\n subscriberURI:\n description: Endpoint for the subscriber.\n minLength: 1\n type: string\n uid:\n description: Used to understand the origin of the subscriber.\n minLength: 1\n type: string\n required:\n - uid\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: array\n type: object\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n served: true\n storage: true\n - name: v1beta1\n schema:\n openAPIV3Schema:\n properties:\n spec:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: configmappropagations.configs.internal.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .spec.originalNamespace\n name: OriginalNamespace\n type: string\n group: configs.internal.knative.dev\n names:\n categories:\n - knative-internal\n kind: ConfigMapPropagation\n plural: configmappropagations\n shortNames:\n - kcmp\n - cmp\n singular: configmappropagation\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n originalNamespace:\n description: The namespace where original ConfigMaps exist in.\n type: string\n required:\n - originalNamespace\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/source: \"true\"\n eventing.knative.dev/release: v0.14.2\n eventing.knative.dev/source: \"true\"\n knative.dev/crd-install: \"true\"\n name: containersources.sources.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n - JSONPath: .status.sinkUri\n name: Sink\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: sources.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n - sources\n kind: ContainerSource\n plural: containersources\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha2\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: eventtypes.eventing.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .spec.type\n name: Type\n type: string\n - JSONPath: .spec.source\n name: Source\n type: string\n - JSONPath: .spec.schema\n name: Schema\n type: string\n - JSONPath: .spec.broker\n name: Broker\n type: string\n - JSONPath: .spec.description\n name: Description\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: eventing.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n kind: EventType\n plural: eventtypes\n singular: eventtype\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n messaging.knative.dev/subscribable: \"true\"\n name: inmemorychannels.messaging.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .status.address.url\n name: URL\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: messaging.knative.dev\n names:\n categories:\n - all\n - knative\n - messaging\n - channel\n kind: InMemoryChannel\n plural: inmemorychannels\n shortNames:\n - imc\n singular: inmemorychannel\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: parallels.flows.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .status.address.url\n name: URL\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: flows.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n - flows\n kind: Parallel\n plural: parallels\n singular: parallel\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n registry.knative.dev/eventTypes: |\n [\n { \"type\": \"dev.knative.sources.ping\" }\n ]\n labels:\n duck.knative.dev/source: \"true\"\n eventing.knative.dev/release: v0.14.2\n eventing.knative.dev/source: \"true\"\n knative.dev/crd-install: \"true\"\n name: pingsources.sources.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n - JSONPath: .status.sinkUri\n name: Sink\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: sources.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n - sources\n kind: PingSource\n plural: pingsources\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1alpha2\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: sequences.flows.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .status.address.url\n name: URL\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: flows.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n - flows\n kind: Sequence\n plural: sequences\n singular: sequence\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n duck.knative.dev/binding: \"true\"\n duck.knative.dev/source: \"true\"\n eventing.knative.dev/release: v0.14.2\n eventing.knative.dev/source: \"true\"\n knative.dev/crd-install: \"true\"\n name: sinkbindings.sources.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].reason\n name: Reason\n type: string\n - JSONPath: .status.sinkUri\n name: Sink\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: sources.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n - sources\n - bindings\n kind: SinkBinding\n plural: sinkbindings\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1alpha2\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: subscriptions.messaging.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: None\n group: messaging.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n kind: Subscription\n plural: subscriptions\n shortNames:\n - sub\n singular: subscription\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n channel:\n description: Channel that forwards incoming events to the subscription.\n properties:\n apiVersion:\n minLength: 1\n type: string\n kind:\n type: string\n name:\n minLength: 1\n type: string\n required:\n - apiVersion\n - kind\n - name\n type: object\n delivery:\n description: 'Subscription delivery options. More information: https://knative.dev/docs/eventing/event-delivery.'\n type: object\n x-kubernetes-preserve-unknown-fields: true\n reply:\n description: the destination that (optionally) receive events.\n properties:\n ref:\n description: a reference to a Kubernetes object from which to retrieve the target URI.\n properties:\n apiVersion:\n minLength: 1\n type: string\n kind:\n minLength: 1\n type: string\n name:\n minLength: 1\n type: string\n namespace:\n minLength: 1\n type: string\n required:\n - apiVersion\n - kind\n - name\n type: object\n uri:\n description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.\n minLength: 1\n type: string\n type: object\n subscriber:\n description: the subscriber that (optionally) processes events.\n properties:\n ref:\n description: a reference to a Kubernetes object from which to retrieve the target URI.\n properties:\n apiVersion:\n minLength: 1\n type: string\n kind:\n minLength: 1\n type: string\n name:\n minLength: 1\n type: string\n namespace:\n minLength: 1\n type: string\n required:\n - apiVersion\n - kind\n - name\n type: object\n uri:\n description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.\n minLength: 1\n type: string\n type: object\n required:\n - channel\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n versions:\n - name: v1alpha1\n served: true\n storage: true\n - name: v1beta1\n served: true\n storage: false\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/crd-install: \"true\"\n name: triggers.eventing.knative.dev\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].status\n name: Ready\n type: string\n - JSONPath: .status.conditions[?(@.type==\"Ready\")].reason\n name: Reason\n type: string\n - JSONPath: .spec.broker\n name: Broker\n type: string\n - JSONPath: .status.subscriberUri\n name: Subscriber_URI\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n conversion:\n strategy: Webhook\n webhookClientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n group: eventing.knative.dev\n names:\n categories:\n - all\n - knative\n - eventing\n kind: Trigger\n plural: triggers\n singular: trigger\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n versions:\n - name: v1alpha1\n schema:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n broker:\n description: Broker that this trigger receives events from. If not specified, will default to 'default'.\n type: string\n filter:\n properties:\n attributes:\n additionalProperties:\n type: string\n description: Map of CloudEvents attributes used for filtering events.\n type: object\n sourceAndType:\n properties:\n source:\n type: string\n type:\n type: string\n type: object\n type: object\n subscriber:\n description: the destination that should receive events.\n properties:\n ref:\n description: a reference to a Kubernetes object from which to retrieve the target URI.\n properties:\n apiVersion:\n minLength: 1\n type: string\n kind:\n minLength: 1\n type: string\n name:\n minLength: 1\n type: string\n namespace:\n minLength: 1\n type: string\n required:\n - apiVersion\n - kind\n - name\n type: object\n uri:\n description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.\n type: string\n type: object\n required:\n - subscriber\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n served: true\n storage: true\n - name: v1beta1\n schema:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n broker:\n description: Broker that this trigger receives events from. If not specified, will default to 'default'.\n type: string\n filter:\n properties:\n attributes:\n additionalProperties:\n type: string\n description: Map of CloudEvents attributes used for filtering events.\n type: object\n type: object\n subscriber:\n description: the destination that should receive events.\n properties:\n ref:\n description: a reference to a Kubernetes object from which to retrieve the target URI.\n properties:\n apiVersion:\n minLength: 1\n type: string\n kind:\n minLength: 1\n type: string\n name:\n minLength: 1\n type: string\n namespace:\n minLength: 1\n type: string\n required:\n - apiVersion\n - kind\n - name\n type: object\n uri:\n description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.\n type: string\n type: object\n required:\n - subscriber\n type: object\n status:\n type: object\n x-kubernetes-preserve-unknown-fields: true\n type: object\n served: true\n storage: false\n"
},
{
"path": "manifest1.3/012-knative-knative-eventing-install-base.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-webhook\n namespace: knative-eventing\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-controller\n namespace: knative-eventing\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-dispatcher\n namespace: knative-eventing\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: pingsource-jobrunner\n namespace: knative-eventing\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n duck.knative.dev/addressable: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: addressable-resolver\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: broker-addressable-resolver\nrules:\n- apiGroups:\n - eventing.knative.dev\n resources:\n - brokers\n - brokers/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/podspecable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: builtin-podspecable-binding\nrules:\n- apiGroups:\n - apps\n resources:\n - deployments\n - daemonsets\n - statefulsets\n - replicasets\n verbs:\n - list\n - watch\n - patch\n- apiGroups:\n - batch\n resources:\n - jobs\n verbs:\n - list\n - watch\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: channel-addressable-resolver\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - channels\n - channels/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - messaging.knative.dev\n resources:\n - channels/finalizers\n verbs:\n - update\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n duck.knative.dev/channelable: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: channelable-manipulator\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-broker-filter\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - eventing.knative.dev\n resources:\n - triggers\n - triggers/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-broker-ingress\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-config-reader\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/source: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-sources-source-observer\nrules:\n- apiGroups:\n - sources.knative.dev\n resources:\n - apiserversources\n - pingsources\n - sinkbindings\n - containersources\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: flows-addressable-resolver\nrules:\n- apiGroups:\n - flows.knative.dev\n resources:\n - sequences\n - sequences/status\n - parallels\n - parallels/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-addressable-resolver\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - inmemorychannels\n - inmemorychannels/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/channelable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-channelable-manipulator\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - inmemorychannels\n - inmemorychannels/status\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-controller\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - inmemorychannels\n - inmemorychannels/status\n verbs:\n - get\n - list\n - watch\n - update\n- apiGroups:\n - messaging.knative.dev\n resources:\n - inmemorychannels/finalizers\n verbs:\n - update\n- apiGroups:\n - \"\"\n resources:\n - services\n - serviceaccounts\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - endpoints\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - rbac.authorization.k8s.io\n resources:\n - rolebindings\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n- apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n- apiGroups:\n - apps\n resources:\n - deployments/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - coordination.k8s.io\n resources:\n - leases\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-dispatcher\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - inmemorychannels\n - inmemorychannels/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - messaging.knative.dev\n resources:\n - inmemorychannels/status\n verbs:\n - update\n- apiGroups:\n - coordination.k8s.io\n resources:\n - leases\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: knative-eventing-channel-broker-controller\nrules:\n- apiGroups:\n - configs.internal.knative.dev\n resources:\n - configmappropagations\n - configmappropagations/status\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - configs.internal.knative.dev\n resources:\n - configmappropagations/finalizers\n verbs:\n - update\n- apiGroups:\n - \"\"\n resources:\n - namespaces/finalizers\n verbs:\n - update\n- apiGroups:\n - coordination.k8s.io\n resources:\n - leases\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: knative-eventing-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - namespaces\n - secrets\n - configmaps\n - services\n - endpoints\n - events\n - serviceaccounts\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - rbac.authorization.k8s.io\n resources:\n - rolebindings\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - eventing.knative.dev\n resources:\n - brokers\n - brokers/status\n - triggers\n - triggers/status\n - eventtypes\n - eventtypes/status\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - eventing.knative.dev\n resources:\n - brokers/finalizers\n - triggers/finalizers\n verbs:\n - update\n- apiGroups:\n - messaging.knative.dev\n resources:\n - sequences\n - sequences/status\n - channels\n - channels/status\n - parallels\n - parallels/status\n - subscriptions\n - subscriptions/status\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - flows.knative.dev\n resources:\n - sequences\n - sequences/status\n - parallels\n - parallels/status\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - messaging.knative.dev\n resources:\n - sequences/finalizers\n - parallels/finalizers\n - channels/finalizers\n verbs:\n - update\n- apiGroups:\n - flows.knative.dev\n resources:\n - sequences/finalizers\n - parallels/finalizers\n verbs:\n - update\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: knative-eventing-jobrunner\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - sources.knative.dev\n resources:\n - pingsources\n - pingsources/status\n verbs:\n - get\n - list\n - watch\n - patch\n- apiGroups:\n - sources.knative.dev\n resources:\n - pingsources/finalizers\n verbs:\n - patch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n name: knative-eventing-namespaced-admin\nrules:\n- apiGroups:\n - eventing.knative.dev\n resources:\n - '*'\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n name: knative-eventing-namespaced-edit\nrules:\n- apiGroups:\n - eventing.knative.dev\n - messaging.knative.dev\n - flows.knative.dev\n resources:\n - '*'\n verbs:\n - create\n - update\n - patch\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: knative-eventing-namespaced-view\nrules:\n- apiGroups:\n - eventing.knative.dev\n - messaging.knative.dev\n - sources.knative.dev\n - flows.knative.dev\n resources:\n - '*'\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: knative-eventing-sources-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - secrets\n - configmaps\n - services\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - sources.knative.dev\n resources:\n - sinkbindings\n - sinkbindings/status\n - sinkbindings/finalizers\n - apiserversources\n - apiserversources/status\n - apiserversources/finalizers\n - pingsources\n - pingsources/status\n - pingsources/finalizers\n - containersources\n - containersources/status\n - containersources/finalizers\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - serving.knative.dev\n resources:\n - services\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - eventing.knative.dev\n resources:\n - eventtypes\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: knative-eventing-webhook\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - create\n - update\n - list\n - watch\n- apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - get\n- apiGroups:\n - apps\n resources:\n - deployments/finalizers\n verbs:\n - update\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - mutatingwebhookconfigurations\n - validatingwebhookconfigurations\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - sources.knative.dev\n resources:\n - sinkbindings\n - sinkbindings/status\n - sinkbindings/finalizers\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - patch\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n name: knative-flows-namespaced-admin\nrules:\n- apiGroups:\n - flows.knative.dev\n resources:\n - '*'\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n name: knative-messaging-namespaced-admin\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - '*'\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n name: knative-sources-namespaced-admin\nrules:\n- apiGroups:\n - sources.knative.dev\n resources:\n - '*'\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: messaging-addressable-resolver\nrules:\n- apiGroups:\n - messaging.knative.dev\n resources:\n - sequences\n - sequences/status\n - parallels\n - parallels/status\n verbs:\n - get\n - list\n - watch\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n duck.knative.dev/podspecable: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: podspecable-binding\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: service-addressable-resolver\nrules:\n- apiGroups:\n - \"\"\n resources:\n - services\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n duck.knative.dev/addressable: \"true\"\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: serving-addressable-resolver\nrules:\n- apiGroups:\n - serving.knative.dev\n resources:\n - routes\n - routes/status\n - services\n - services/status\n verbs:\n - get\n - list\n - watch\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n duck.knative.dev/source: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: source-observer\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-channel-broker-controller\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: knative-eventing-channel-broker-controller\nsubjects:\n- kind: ServiceAccount\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: knative-eventing-controller\nsubjects:\n- kind: ServiceAccount\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller-manipulator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: channelable-manipulator\nsubjects:\n- kind: ServiceAccount\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller-resolver\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: addressable-resolver\nsubjects:\n- kind: ServiceAccount\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller-source-observer\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: source-observer\nsubjects:\n- kind: ServiceAccount\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller-sources-controller\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: knative-eventing-sources-controller\nsubjects:\n- kind: ServiceAccount\n name: eventing-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-webhook\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: knative-eventing-webhook\nsubjects:\n- kind: ServiceAccount\n name: eventing-webhook\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-webhook-podspecable-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: podspecable-binding\nsubjects:\n- kind: ServiceAccount\n name: eventing-webhook\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-webhook-resolver\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: addressable-resolver\nsubjects:\n- kind: ServiceAccount\n name: eventing-webhook\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-controller\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: imc-controller\nsubjects:\n- kind: ServiceAccount\n name: imc-controller\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-dispatcher\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: imc-dispatcher\nsubjects:\n- kind: ServiceAccount\n name: imc-dispatcher\n namespace: knative-eventing\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: pingsource-jobrunner\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: knative-eventing-jobrunner\nsubjects:\n- kind: ServiceAccount\n name: pingsource-jobrunner\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n channelTemplateSpec: |\n apiVersion: messaging.knative.dev/v1alpha1\n kind: InMemoryChannel\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: config-br-default-channel\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n default-br-config: |\n clusterDefault:\n brokerClass: ChannelBasedBroker\n apiVersion: v1\n kind: ConfigMap\n name: config-br-default-channel\n namespace: knative-eventing\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: config-br-defaults\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n MaxIdleConnections: \"1000\"\n MaxIdleConnectionsPerHost: \"100\"\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: config-imc-event-dispatcher\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # resourceLock controls which API resource is used as the basis for the\n # leader election lock. Valid values are:\n #\n # - leases -> use the coordination API\n # - configmaps -> use configmaps\n # - endpoints -> use endpoints\n resourceLock: \"leases\"\n\n # leaseDuration is how long non-leaders will wait to try to acquire the\n # lock; 15 seconds is the value used by core kubernetes controllers.\n leaseDuration: \"15s\"\n # renewDeadline is how long a leader will try to renew the lease before\n # giving up; 10 seconds is the value used by core kubernetes controllers.\n renewDeadline: \"10s\"\n # retryPeriod is how long the leader election client waits between tries of\n # actions; 2 seconds is the value used by core kuberntes controllers.\n retryPeriod: \"2s\"\n # enabledComponents is a comma-delimited list of component names for which\n # leader election is enabled. Valid values are:\n #\n # - controller\n # - broker-controller\n # - inmemorychannel-dispatcher\n # - inmemorychannel-controller\n enabledComponents: \"controller,broker-controller,inmemorychannel-dispatcher,inmemorychannel-controller\"\n leaseDuration: 15s\n renewDeadline: 10s\n resourceLock: leases\n retryPeriod: 2s\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: config-leader-election\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n loglevel.controller: info\n loglevel.webhook: info\n zap-logger-config: |\n {\n \"level\": \"info\",\n \"development\": false,\n \"outputPaths\": [\"stdout\"],\n \"errorOutputPaths\": [\"stderr\"],\n \"encoding\": \"json\",\n \"encoderConfig\": {\n \"timeKey\": \"ts\",\n \"levelKey\": \"level\",\n \"nameKey\": \"logger\",\n \"callerKey\": \"caller\",\n \"messageKey\": \"msg\",\n \"stacktraceKey\": \"stacktrace\",\n \"lineEnding\": \"\",\n \"levelEncoder\": \"\",\n \"timeEncoder\": \"iso8601\",\n \"durationEncoder\": \"\",\n \"callerEncoder\": \"\"\n }\n }\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/config-category: eventing\n knative.dev/config-propagation: original\n kustomize.component: knative\n name: config-logging\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # metrics.backend-destination field specifies the system metrics destination.\n # It supports either prometheus (the default) or stackdriver.\n # Note: Using stackdriver will incur additional charges\n metrics.backend-destination: prometheus\n\n # metrics.request-metrics-backend-destination specifies the request metrics\n # destination. If non-empty, it enables queue proxy to send request metrics.\n # Currently supported values: prometheus, stackdriver.\n metrics.request-metrics-backend-destination: prometheus\n\n # metrics.stackdriver-project-id field specifies the stackdriver project ID. This\n # field is optional. When running on GCE, application default credentials will be\n # used if this field is not provided.\n metrics.stackdriver-project-id: \"\"\n\n # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to\n # Stackdriver using \"global\" resource type and custom metric type if the\n # metrics are not supported by \"knative_broker\", \"knative_trigger\", and \"knative_source\" resource types.\n # Setting this flag to \"true\" could cause extra Stackdriver charge.\n # If metrics.backend-destination is not Stackdriver, this is ignored.\n metrics.allow-stackdriver-custom-metrics: \"false\"\n\n # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from\n # the pods via an HTTP server in the format expected by the pprof visualization tool. When\n # enabled, the Knative Eventing pods expose the profiling data on an alternate HTTP port 8008.\n # The HTTP context root for profiling is then /debug/pprof/.\n profiling.enable: \"false\"\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/config-category: eventing\n knative.dev/config-propagation: original\n kustomize.component: knative\n name: config-observability\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n #\n # This may be \"zipkin\" or \"stackdriver\", the default is \"none\"\n backend: \"none\"\n\n # URL to zipkin collector where traces are sent.\n # This must be specified when backend is \"zipkin\"\n zipkin-endpoint: \"http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans\"\n\n # The GCP project into which stackdriver metrics will be written\n # when backend is \"stackdriver\". If unspecified, the project-id\n # is read from GCP metadata when running on GCP.\n stackdriver-project-id: \"my-project\"\n\n # Enable zipkin debug mode. This allows all spans to be sent to the server\n # bypassing sampling.\n debug: \"false\"\n\n # Percentage (0-1) of requests to trace\n sample-rate: \"0.1\"\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n knative.dev/config-category: eventing\n knative.dev/config-propagation: original\n kustomize.component: knative\n name: config-tracing\n namespace: knative-eventing\n---\napiVersion: v1\ndata:\n default-ch-config: |\n clusterDefault:\n apiVersion: messaging.knative.dev/v1beta1\n kind: InMemoryChannel\n namespaceDefaults:\n some-namespace:\n apiVersion: messaging.knative.dev/v1beta1\n kind: InMemoryChannel\nkind: ConfigMap\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: default-ch-webhook\n namespace: knative-eventing\n---\napiVersion: v1\nkind: Secret\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-webhook-certs\n namespace: knative-eventing\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n eventing.knative.dev/brokerRole: filter\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: broker-filter\n namespace: knative-eventing\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 8080\n - name: http-metrics\n port: 9090\n protocol: TCP\n targetPort: 9090\n selector:\n eventing.knative.dev/brokerRole: filter\n kustomize.component: knative\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n eventing.knative.dev/brokerRole: ingress\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: broker-ingress\n namespace: knative-eventing\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 8080\n - name: http-metrics\n port: 9090\n protocol: TCP\n targetPort: 9090\n selector:\n eventing.knative.dev/brokerRole: ingress\n kustomize.component: knative\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n role: eventing-webhook\n name: eventing-webhook\n namespace: knative-eventing\nspec:\n ports:\n - name: https-webhook\n port: 443\n targetPort: 8443\n selector:\n kustomize.component: knative\n role: eventing-webhook\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n messaging.knative.dev/channel: in-memory-channel\n messaging.knative.dev/role: dispatcher\n name: imc-dispatcher\n namespace: knative-eventing\nspec:\n ports:\n - name: http-dispatcher\n port: 80\n protocol: TCP\n targetPort: 8080\n selector:\n kustomize.component: knative\n messaging.knative.dev/channel: in-memory-channel\n messaging.knative.dev/role: dispatcher\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: broker-controller\n namespace: knative-eventing\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: broker-controller\n kustomize.component: knative\n template:\n metadata:\n labels:\n app: broker-controller\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/eventing\n - name: BROKER_INGRESS_IMAGE\n value: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/ingress@sha256:cfdaf7a48a22e3bab15e6b15e7ee387eb6406e00e9e4942e58b4a7bc8c2df3cf\n - name: BROKER_INGRESS_SERVICE_ACCOUNT\n value: eventing-broker-ingress\n - name: BROKER_FILTER_IMAGE\n value: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/filter@sha256:ad578e71aad9c040087dd621fddd73f70ede4d03ae5425c79e8995d06ebb8aca\n - name: BROKER_FILTER_SERVICE_ACCOUNT\n value: eventing-broker-filter\n - name: BROKER_IMAGE_PULL_SECRET_NAME\n value: null\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-channel_broker:special-740ce\n name: eventing-controller\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n resources:\n requests:\n cpu: 100m\n memory: 100Mi\n securityContext:\n allowPrivilegeEscalation: false\n terminationMessagePolicy: FallbackToLogsOnError\n serviceAccountName: eventing-controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-controller\n namespace: knative-eventing\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: eventing-controller\n kustomize.component: knative\n template:\n metadata:\n labels:\n app: eventing-controller\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/eventing\n - name: PING_IMAGE\n value: gcr.io/knative-releases/knative.dev/eventing/cmd/ping/adapter@sha256:c7272752928f6eeb9a66cf47c00b2d295ffb8517f2033dbbc8a5f461f6adafc2\n - name: JOB_RUNNER_IMAGE\n value: gcr.io/knative-releases/knative.dev/eventing/cmd/ping/jobrunner@sha256:b47877189b1e0f23c2617875574b16505251ae45ea091969332266621af99af8\n - name: APISERVER_RA_IMAGE\n value: gcr.io/knative-releases/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:717e08da76235229c5664240351ece8c70767768437c0a6d498210cdcc182f14\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-controller:special-a8863\n name: eventing-controller\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n resources:\n requests:\n cpu: 100m\n memory: 100Mi\n securityContext:\n allowPrivilegeEscalation: false\n terminationMessagePolicy: FallbackToLogsOnError\n serviceAccountName: eventing-controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: eventing-webhook\n namespace: knative-eventing\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: eventing-webhook\n kustomize.component: knative\n role: eventing-webhook\n template:\n metadata:\n labels:\n app: eventing-webhook\n kustomize.component: knative\n role: eventing-webhook\n spec:\n containers:\n - env:\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: METRICS_DOMAIN\n value: knative.dev/eventing\n - name: WEBHOOK_NAME\n value: eventing-webhook\n - name: SINK_BINDING_SELECTION_MODE\n value: exclusion\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-webhook:special-fcf31\n name: eventing-webhook\n ports:\n - containerPort: 8443\n name: https-webhook\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n resources:\n limits:\n cpu: 200m\n memory: 200Mi\n requests:\n cpu: 20m\n memory: 20Mi\n securityContext:\n allowPrivilegeEscalation: false\n terminationMessagePolicy: FallbackToLogsOnError\n serviceAccountName: eventing-webhook\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-controller\n namespace: knative-eventing\nspec:\n replicas: 1\n selector:\n matchLabels:\n kustomize.component: knative\n messaging.knative.dev/channel: in-memory-channel\n messaging.knative.dev/role: controller\n template:\n metadata:\n labels:\n kustomize.component: knative\n messaging.knative.dev/channel: in-memory-channel\n messaging.knative.dev/role: controller\n spec:\n containers:\n - env:\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/inmemorychannel-controller\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: DISPATCHER_IMAGE\n value: registry.cn-shenzhen.aliyuncs.com/tensorbytes/in_memory-channel_dispatcher:special-6f8a5\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/in_memory-channel_controller:special-4135b\n name: controller\n ports:\n - containerPort: 9090\n name: metrics\n - containerPort: 8008\n name: profiling\n securityContext:\n allowPrivilegeEscalation: false\n serviceAccountName: imc-controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: imc-dispatcher\n namespace: knative-eventing\nspec:\n replicas: 1\n selector:\n matchLabels:\n kustomize.component: knative\n messaging.knative.dev/channel: in-memory-channel\n messaging.knative.dev/role: dispatcher\n template:\n metadata:\n labels:\n kustomize.component: knative\n messaging.knative.dev/channel: in-memory-channel\n messaging.knative.dev/role: dispatcher\n spec:\n containers:\n - env:\n - name: CONFIG_LOGGING_NAME\n value: config-logging\n - name: CONFIG_OBSERVABILITY_NAME\n value: config-observability\n - name: METRICS_DOMAIN\n value: knative.dev/inmemorychannel-dispatcher\n - name: SYSTEM_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/in_memory-channel_dispatcher:special-6f8a5\n name: dispatcher\n ports:\n - containerPort: 9090\n name: metrics\n serviceAccountName: imc-dispatcher\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: sinkbindings.webhook.sources.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n failurePolicy: Fail\n name: sinkbindings.webhook.sources.knative.dev\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: webhook.eventing.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n failurePolicy: Fail\n name: webhook.eventing.knative.dev\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: config.webhook.eventing.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n failurePolicy: Fail\n name: config.webhook.eventing.knative.dev\n namespaceSelector:\n matchExpressions:\n - key: eventing.knative.dev/release\n operator: Exists\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n labels:\n eventing.knative.dev/release: v0.14.2\n kustomize.component: knative\n name: validation.webhook.eventing.knative.dev\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n service:\n name: eventing-webhook\n namespace: knative-eventing\n failurePolicy: Fail\n name: validation.webhook.eventing.knative.dev\n sideEffects: None\n"
},
{
"path": "manifest1.3/013-istio-1-9-0-cluster-local-gateway-base.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: cluster-local-gateway\n install.operator.istio.io/owning-resource: unknown\n istio: cluster-local-gateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: cluster-local-gateway-service-account\n namespace: istio-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: cluster-local-gateway-sds\n namespace: istio-system\nrules:\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - watch\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: cluster-local-gateway-sds\n namespace: istio-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: cluster-local-gateway-sds\nsubjects:\n- kind: ServiceAccount\n name: cluster-local-gateway-service-account\n namespace: istio-system\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: cluster-local-gateway\n install.operator.istio.io/owning-resource: unknown\n istio: cluster-local-gateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: cluster-local-gateway\n namespace: istio-system\nspec:\n ports:\n - name: status-port\n port: 15020\n protocol: TCP\n targetPort: 15020\n - name: http2\n port: 80\n protocol: TCP\n targetPort: 8080\n selector:\n app: cluster-local-gateway\n istio: cluster-local-gateway\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cluster-local-gateway\n install.operator.istio.io/owning-resource: unknown\n istio: cluster-local-gateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: cluster-local-gateway\n namespace: istio-system\nspec:\n selector:\n matchLabels:\n app: cluster-local-gateway\n istio: cluster-local-gateway\n strategy:\n rollingUpdate:\n maxSurge: 100%\n maxUnavailable: 25%\n template:\n metadata:\n annotations:\n prometheus.io/path: /stats/prometheus\n prometheus.io/port: \"15020\"\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: cluster-local-gateway\n chart: gateways\n heritage: Tiller\n install.operator.istio.io/owning-resource: unknown\n istio: cluster-local-gateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n service.istio.io/canonical-name: cluster-local-gateway\n service.istio.io/canonical-revision: latest\n sidecar.istio.io/inject: \"false\"\n spec:\n affinity:\n nodeAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - ppc64le\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - s390x\n weight: 2\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n - ppc64le\n - s390x\n containers:\n - args:\n - proxy\n - router\n - --domain\n - $(POD_NAMESPACE).svc.cluster.local\n - --proxyLogLevel=warning\n - --proxyComponentLogLevel=misc:error\n - --log_output_level=default:info\n - --serviceCluster\n - cluster-local-gateway\n env:\n - name: JWT_POLICY\n value: third-party-jwt\n - name: PILOT_CERT_PROVIDER\n value: istiod\n - name: CA_ADDR\n value: istiod.istio-system.svc:15012\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.podIP\n - name: HOST_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.hostIP\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n fieldPath: spec.serviceAccountName\n - name: CANONICAL_SERVICE\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-name']\n - name: CANONICAL_REVISION\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-revision']\n - name: ISTIO_META_WORKLOAD_NAME\n value: cluster-local-gateway\n - name: ISTIO_META_OWNER\n value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway\n - name: ISTIO_META_UNPRIVILEGED_POD\n value: \"true\"\n - name: ISTIO_META_ROUTER_MODE\n value: sni-dnat\n - name: ISTIO_META_CLUSTER_ID\n value: Kubernetes\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74\n name: istio-proxy\n ports:\n - containerPort: 15020\n protocol: TCP\n - containerPort: 8080\n protocol: TCP\n - containerPort: 15090\n name: http-envoy-prom\n protocol: TCP\n readinessProbe:\n failureThreshold: 30\n httpGet:\n path: /healthz/ready\n port: 15021\n scheme: HTTP\n initialDelaySeconds: 1\n periodSeconds: 2\n successThreshold: 1\n timeoutSeconds: 1\n resources:\n limits:\n cpu: 2000m\n memory: 1024Mi\n requests:\n cpu: 100m\n memory: 128Mi\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n privileged: false\n readOnlyRootFilesystem: true\n volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n - mountPath: /etc/istio/config\n name: config-volume\n - mountPath: /var/run/secrets/istio\n name: istiod-ca-cert\n - mountPath: /var/run/secrets/tokens\n name: istio-token\n readOnly: true\n - mountPath: /var/lib/istio/data\n name: istio-data\n - mountPath: /etc/istio/pod\n name: podinfo\n - mountPath: /etc/istio/ingressgateway-certs\n name: ingressgateway-certs\n readOnly: true\n - mountPath: /etc/istio/ingressgateway-ca-certs\n name: ingressgateway-ca-certs\n readOnly: true\n securityContext:\n fsGroup: 1337\n runAsGroup: 1337\n runAsNonRoot: true\n runAsUser: 1337\n serviceAccountName: cluster-local-gateway-service-account\n volumes:\n - configMap:\n name: istio-ca-root-cert\n name: istiod-ca-cert\n - downwardAPI:\n items:\n - fieldRef:\n fieldPath: metadata.labels\n path: labels\n - fieldRef:\n fieldPath: metadata.annotations\n path: annotations\n - path: cpu-limit\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: limits.cpu\n - path: cpu-request\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: requests.cpu\n name: podinfo\n - emptyDir: {}\n name: istio-envoy\n - emptyDir: {}\n name: istio-data\n - name: istio-token\n projected:\n sources:\n - serviceAccountToken:\n audience: istio-ca\n expirationSeconds: 43200\n path: istio-token\n - configMap:\n name: istio\n optional: true\n name: config-volume\n - name: ingressgateway-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-certs\n - name: ingressgateway-ca-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-ca-certs\n---\napiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n labels:\n release: istio\n name: cluster-local-gateway\n namespace: istio-system\nspec:\n selector:\n app: cluster-local-gateway\n istio: cluster-local-gateway\n servers:\n - hosts:\n - '*'\n port:\n name: http\n number: 80\n protocol: HTTP\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n name: cluster-local-gateway\n namespace: istio-system\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n app: cluster-local-gateway\n istio: cluster-local-gateway\n"
},
{
"path": "manifest1.3/014-kubeflow-namespace-kubeflow-namespace-base.yaml",
"content": "apiVersion: v1\nkind: Namespace\nmetadata:\n labels:\n control-plane: kubeflow\n istio-injection: enabled\n katib-metricscollector-injection: enabled\n name: kubeflow\n"
},
{
"path": "manifest1.3/015-kubeflow-roles-kubeflow-roles-base.yaml",
"content": "aggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: kubeflow-admin\nrules: []\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-edit\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-kubernetes-admin\nrules:\n- apiGroups:\n - authorization.k8s.io\n resources:\n - localsubjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - rbac.authorization.k8s.io\n resources:\n - rolebindings\n - roles\n verbs:\n - create\n - delete\n - deletecollection\n - get\n - list\n - patch\n - update\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: kubeflow-kubernetes-edit\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods/attach\n - pods/exec\n - pods/portforward\n - pods/proxy\n - secrets\n - services/proxy\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - serviceaccounts\n verbs:\n - impersonate\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/attach\n - pods/exec\n - pods/portforward\n - pods/proxy\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - endpoints\n - persistentvolumeclaims\n - replicationcontrollers\n - replicationcontrollers/scale\n - secrets\n - serviceaccounts\n - services\n - services/proxy\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - apps\n resources:\n - daemonsets\n - deployments\n - deployments/rollback\n - deployments/scale\n - replicasets\n - replicasets/scale\n - statefulsets\n - statefulsets/scale\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - autoscaling\n resources:\n - horizontalpodautoscalers\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - batch\n resources:\n - cronjobs\n - jobs\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - extensions\n resources:\n - daemonsets\n - deployments\n - deployments/rollback\n - deployments/scale\n - ingresses\n - networkpolicies\n - replicasets\n - replicasets/scale\n - replicationcontrollers/scale\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - policy\n resources:\n - poddisruptionbudgets\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n- apiGroups:\n - networking.k8s.io\n resources:\n - ingresses\n - networkpolicies\n verbs:\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-kubernetes-view\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - endpoints\n - persistentvolumeclaims\n - persistentvolumeclaims/status\n - pods\n - replicationcontrollers\n - replicationcontrollers/scale\n - serviceaccounts\n - services\n - services/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - bindings\n - events\n - limitranges\n - namespaces/status\n - pods/log\n - pods/status\n - replicationcontrollers/status\n - resourcequotas\n - resourcequotas/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - namespaces\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - apps\n resources:\n - controllerrevisions\n - daemonsets\n - daemonsets/status\n - deployments\n - deployments/scale\n - deployments/status\n - replicasets\n - replicasets/scale\n - replicasets/status\n - statefulsets\n - statefulsets/scale\n - statefulsets/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - autoscaling\n resources:\n - horizontalpodautoscalers\n - horizontalpodautoscalers/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - batch\n resources:\n - cronjobs\n - cronjobs/status\n - jobs\n - jobs/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - extensions\n resources:\n - daemonsets\n - daemonsets/status\n - deployments\n - deployments/scale\n - deployments/status\n - ingresses\n - ingresses/status\n - networkpolicies\n - replicasets\n - replicasets/scale\n - replicasets/status\n - replicationcontrollers/scale\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - policy\n resources:\n - poddisruptionbudgets\n - poddisruptionbudgets/status\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - networking.k8s.io\n resources:\n - ingresses\n - ingresses/status\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: kubeflow-view\nrules: []\n"
},
{
"path": "manifest1.3/016-istio-1-9-0-kubeflow-istio-resources-base.yaml",
"content": "aggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-istio-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: \"true\"\n name: kubeflow-istio-edit\nrules:\n- apiGroups:\n - istio.io\n - networking.istio.io\n resources:\n - '*'\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-istio-view\nrules:\n- apiGroups:\n - istio.io\n - networking.istio.io\n resources:\n - '*'\n verbs:\n - get\n - list\n - watch\n---\napiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n name: kubeflow-gateway\n namespace: kubeflow\nspec:\n selector:\n istio: ingressgateway\n servers:\n - hosts:\n - '*'\n port:\n name: http\n number: 80\n protocol: HTTP\n"
},
{
"path": "manifest1.3/017-pipeline-env-platform-agnostic-multi-user.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: clusterworkflowtemplates.argoproj.io\nspec:\n group: argoproj.io\n names:\n kind: ClusterWorkflowTemplate\n listKind: ClusterWorkflowTemplateList\n plural: clusterworkflowtemplates\n shortNames:\n - clusterwftmpl\n - cwft\n singular: clusterworkflowtemplate\n scope: Cluster\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n name: compositecontrollers.metacontroller.k8s.io\nspec:\n group: metacontroller.k8s.io\n names:\n kind: CompositeController\n plural: compositecontrollers\n shortNames:\n - cc\n - cctl\n singular: compositecontroller\n scope: Cluster\n version: v1alpha1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n name: controllerrevisions.metacontroller.k8s.io\nspec:\n group: metacontroller.k8s.io\n names:\n kind: ControllerRevision\n plural: controllerrevisions\n singular: controllerrevision\n scope: Namespaced\n version: v1alpha1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: cronworkflows.argoproj.io\nspec:\n group: argoproj.io\n names:\n kind: CronWorkflow\n listKind: CronWorkflowList\n plural: cronworkflows\n shortNames:\n - cwf\n - cronwf\n singular: cronworkflow\n scope: Namespaced\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n name: decoratorcontrollers.metacontroller.k8s.io\nspec:\n group: metacontroller.k8s.io\n names:\n kind: DecoratorController\n plural: decoratorcontrollers\n shortNames:\n - dec\n - decorators\n singular: decoratorcontroller\n scope: Cluster\n version: v1alpha1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: scheduledworkflows.kubeflow.org\nspec:\n group: kubeflow.org\n names:\n kind: ScheduledWorkflow\n listKind: ScheduledWorkflowList\n plural: scheduledworkflows\n shortNames:\n - swf\n singular: scheduledworkflow\n scope: Namespaced\n versions:\n - name: v1beta1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: viewers.kubeflow.org\nspec:\n group: kubeflow.org\n names:\n kind: Viewer\n listKind: ViewerList\n plural: viewers\n shortNames:\n - vi\n singular: viewer\n scope: Namespaced\n versions:\n - name: v1beta1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workfloweventbindings.argoproj.io\nspec:\n group: argoproj.io\n names:\n kind: WorkflowEventBinding\n listKind: WorkflowEventBindingList\n plural: workfloweventbindings\n shortNames:\n - wfeb\n singular: workfloweventbinding\n scope: Namespaced\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflows.argoproj.io\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.phase\n description: Status of the workflow\n name: Status\n type: string\n - JSONPath: .status.startedAt\n description: When the workflow was started\n format: date-time\n name: Age\n type: date\n group: argoproj.io\n names:\n kind: Workflow\n listKind: WorkflowList\n plural: workflows\n shortNames:\n - wf\n singular: workflow\n scope: Namespaced\n subresources: {}\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflowtemplates.argoproj.io\nspec:\n group: argoproj.io\n names:\n kind: WorkflowTemplate\n listKind: WorkflowTemplateList\n plural: workflowtemplates\n shortNames:\n - wftmpl\n singular: workflowtemplate\n scope: Namespaced\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: argo\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-deployer-sa\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-container-builder\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-metadata-writer\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-viewer\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n name: meta-controller-service\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: metadata-grpc-server\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-persistenceagent\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-scheduledworkflow\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-viewer-crd-service-account\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-visualizationserver\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: mysql\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: pipeline-runner\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: argo-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: cache-deployer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-deployer-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - create\n - delete\n - get\n - patch\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: kubeflow-pipelines-metadata-writer-role\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-metadata-writer-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: ml-pipeline\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/log\n verbs:\n - get\n - list\n - delete\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - kubeflow.org\n resources:\n - scheduledworkflows\n verbs:\n - create\n - get\n - list\n - update\n - patch\n - delete\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - authentication.k8s.io\n resources:\n - tokenreviews\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-persistenceagent-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - kubeflow.org\n resources:\n - scheduledworkflows\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: ml-pipeline-scheduledworkflow-role\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-scheduledworkflow-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - kubeflow.org\n resources:\n - scheduledworkflows\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/log\n verbs:\n - get\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - list\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n- apiGroups:\n - kubeflow.org\n resources:\n - viewers\n verbs:\n - create\n - get\n - list\n - watch\n - delete\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-viewer-controller-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - '*'\n resources:\n - deployments\n - services\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - kubeflow.org\n resources:\n - viewers\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: pipeline-runner\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - watch\n - list\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumes\n - persistentvolumeclaims\n verbs:\n - '*'\n- apiGroups:\n - snapshot.storage.k8s.io\n resources:\n - volumesnapshots\n verbs:\n - create\n - delete\n - get\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/exec\n - pods/log\n - services\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n - apps\n - extensions\n resources:\n - deployments\n - replicasets\n verbs:\n - '*'\n- apiGroups:\n - kubeflow.org\n resources:\n - '*'\n verbs:\n - '*'\n- apiGroups:\n - batch\n resources:\n - jobs\n verbs:\n - '*'\n- apiGroups:\n - machinelearning.seldon.io\n resources:\n - seldondeployments\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: \"true\"\n name: aggregate-to-kubeflow-pipelines-edit\nrules:\n- apiGroups:\n - pipelines.kubeflow.org\n resources:\n - pipelines\n - pipelines/versions\n verbs:\n - create\n - delete\n - update\n- apiGroups:\n - pipelines.kubeflow.org\n resources:\n - experiments\n verbs:\n - archive\n - create\n - delete\n - unarchive\n- apiGroups:\n - pipelines.kubeflow.org\n resources:\n - runs\n verbs:\n - archive\n - create\n - delete\n - retry\n - terminate\n - unarchive\n- apiGroups:\n - pipelines.kubeflow.org\n resources:\n - jobs\n verbs:\n - create\n - delete\n - disable\n - enable\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: \"true\"\n name: aggregate-to-kubeflow-pipelines-view\nrules:\n- apiGroups:\n - pipelines.kubeflow.org\n resources:\n - pipelines\n - pipelines/versions\n - experiments\n - runs\n - jobs\n verbs:\n - get\n - list\n- apiGroups:\n - kubeflow.org\n resources:\n - viewers\n verbs:\n - create\n - get\n - delete\n- apiGroups:\n - pipelines.kubeflow.org\n resources:\n - visualizations\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n rbac.authorization.k8s.io/aggregate-to-admin: \"true\"\n name: argo-aggregate-to-admin\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n - workflows/finalizers\n - workfloweventbindings\n - workfloweventbindings/finalizers\n - workflowtemplates\n - workflowtemplates/finalizers\n - cronworkflows\n - cronworkflows/finalizers\n - clusterworkflowtemplates\n - clusterworkflowtemplates/finalizers\n verbs:\n - create\n - delete\n - deletecollection\n - get\n - list\n - patch\n - update\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n rbac.authorization.k8s.io/aggregate-to-edit: \"true\"\n name: argo-aggregate-to-edit\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n - workflows/finalizers\n - workfloweventbindings\n - workfloweventbindings/finalizers\n - workflowtemplates\n - workflowtemplates/finalizers\n - cronworkflows\n - cronworkflows/finalizers\n - clusterworkflowtemplates\n - clusterworkflowtemplates/finalizers\n verbs:\n - create\n - delete\n - deletecollection\n - get\n - list\n - patch\n - update\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n rbac.authorization.k8s.io/aggregate-to-view: \"true\"\n name: argo-aggregate-to-view\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n - workflows/finalizers\n - workfloweventbindings\n - workfloweventbindings/finalizers\n - workflowtemplates\n - workflowtemplates/finalizers\n - cronworkflows\n - cronworkflows/finalizers\n - clusterworkflowtemplates\n - clusterworkflowtemplates/finalizers\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: argo-cluster-role\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/exec\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - watch\n - list\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - create\n - delete\n - get\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n - workflows/finalizers\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n - delete\n - create\n- apiGroups:\n - argoproj.io\n resources:\n - workflowtemplates\n - workflowtemplates/finalizers\n - clusterworkflowtemplates\n - clusterworkflowtemplates/finalizers\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - serviceaccounts\n verbs:\n - get\n - list\n- apiGroups:\n - argoproj.io\n resources:\n - cronworkflows\n - cronworkflows/finalizers\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - policy\n resources:\n - poddisruptionbudgets\n verbs:\n - create\n - get\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: kubeflow-pipelines-cache-deployer-clusterrole\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-deployer-clusterrole\nrules:\n- apiGroups:\n - certificates.k8s.io\n resources:\n - certificatesigningrequests\n - certificatesigningrequests/approval\n verbs:\n - create\n - delete\n - get\n - update\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - mutatingwebhookconfigurations\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n- apiGroups:\n - certificates.k8s.io\n resourceNames:\n - kubernetes.io/*\n resources:\n - signers\n verbs:\n - approve\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-role\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: kubeflow-pipelines-edit\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-metadata-writer-role\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n - update\n - patch\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-pipelines-view\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-persistenceagent-role\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - kubeflow.org\n resources:\n - scheduledworkflows\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-scheduledworkflow-role\nrules:\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - kubeflow.org\n resources:\n - scheduledworkflows\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/log\n verbs:\n - get\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - list\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n- apiGroups:\n - kubeflow.org\n resources:\n - viewers\n verbs:\n - create\n - get\n - list\n - watch\n - delete\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - get\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-viewer-controller-role\nrules:\n- apiGroups:\n - '*'\n resources:\n - deployments\n - services\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - kubeflow.org\n resources:\n - viewers\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/log\n verbs:\n - get\n - list\n - delete\n- apiGroups:\n - argoproj.io\n resources:\n - workflows\n verbs:\n - create\n - get\n - list\n - watch\n - update\n - patch\n - delete\n- apiGroups:\n - kubeflow.org\n resources:\n - scheduledworkflows\n verbs:\n - create\n - get\n - list\n - update\n - patch\n - delete\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - authentication.k8s.io\n resources:\n - tokenreviews\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: argo-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: argo-role\nsubjects:\n- kind: ServiceAccount\n name: argo\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: kubeflow-pipelines-cache-role\nsubjects:\n- kind: ServiceAccount\n name: kubeflow-pipelines-cache\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: cache-deployer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-deployer-rolebinding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: kubeflow-pipelines-cache-deployer-role\nsubjects:\n- kind: ServiceAccount\n name: kubeflow-pipelines-cache-deployer-sa\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-metadata-writer-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: kubeflow-pipelines-metadata-writer-role\nsubjects:\n- kind: ServiceAccount\n name: kubeflow-pipelines-metadata-writer\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: ml-pipeline\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: ml-pipeline\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-persistenceagent-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: ml-pipeline-persistenceagent-role\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-persistenceagent\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-scheduledworkflow-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: ml-pipeline-scheduledworkflow-role\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-scheduledworkflow\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: ml-pipeline-ui\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-ui\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-viewer-crd-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: ml-pipeline-viewer-controller-role\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-viewer-crd-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: pipeline-runner-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: pipeline-runner\nsubjects:\n- kind: ServiceAccount\n name: pipeline-runner\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: argo-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: argo-cluster-role\nsubjects:\n- kind: ServiceAccount\n name: argo\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: kubeflow-pipelines-cache-role\nsubjects:\n- kind: ServiceAccount\n name: kubeflow-pipelines-cache\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-cache-deployer-clusterrolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: kubeflow-pipelines-cache-deployer-clusterrole\nsubjects:\n- kind: ServiceAccount\n name: kubeflow-pipelines-cache-deployer-sa\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-metadata-writer-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: kubeflow-pipelines-metadata-writer-role\nsubjects:\n- kind: ServiceAccount\n name: kubeflow-pipelines-metadata-writer\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n name: meta-controller-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n name: meta-controller-service\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-persistenceagent-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: ml-pipeline-persistenceagent-role\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-persistenceagent\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-scheduledworkflow-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: ml-pipeline-scheduledworkflow-role\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-scheduledworkflow\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: ml-pipeline-ui\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-ui\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-viewer-crd-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: ml-pipeline-viewer-controller-role\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline-viewer-crd-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: ml-pipeline\nsubjects:\n- kind: ServiceAccount\n name: ml-pipeline\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n sync.py: |\n # Copyright 2020-2021 Google LLC\n #\n # Licensed under the Apache License, Version 2.0 (the \"License\");\n # you may not use this file except in compliance with the License.\n # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n # Unless required by applicable law or agreed to in writing, software\n # distributed under the License is distributed on an \"AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n # See the License for the specific language governing permissions and\n # limitations under the License.\n\n from http.server import BaseHTTPRequestHandler, HTTPServer\n import json\n import os\n import base64\n\n kfp_version = os.environ[\"KFP_VERSION\"]\n disable_istio_sidecar = os.environ.get(\"DISABLE_ISTIO_SIDECAR\") == \"true\"\n mlpipeline_minio_access_key = base64.b64encode(\n bytes(os.environ.get(\"MINIO_ACCESS_KEY\"), 'utf-8')).decode('utf-8')\n mlpipeline_minio_secret_key = base64.b64encode(\n bytes(os.environ.get(\"MINIO_SECRET_KEY\"), 'utf-8')).decode('utf-8')\n\n\n class Controller(BaseHTTPRequestHandler):\n def sync(self, parent, children):\n pipeline_enabled = parent.get(\"metadata\", {}).get(\n \"labels\", {}).get(\"pipelines.kubeflow.org/enabled\")\n\n if pipeline_enabled != \"true\":\n return {\"status\": {}, \"children\": []}\n\n # Compute status based on observed state.\n desired_status = {\n \"kubeflow-pipelines-ready\": \\\n len(children[\"Secret.v1\"]) == 1 and \\\n len(children[\"ConfigMap.v1\"]) == 1 and \\\n len(children[\"Deployment.apps/v1\"]) == 2 and \\\n len(children[\"Service.v1\"]) == 2 and \\\n len(children[\"DestinationRule.networking.istio.io/v1alpha3\"]) == 1 and \\\n len(children[\"AuthorizationPolicy.security.istio.io/v1beta1\"]) == 1 and \\\n \"True\" or \"False\"\n }\n\n # Generate the desired child object(s).\n # parent is a namespace\n namespace = parent.get(\"metadata\", {}).get(\"name\")\n desired_resources = [\n {\n \"apiVersion\": \"v1\",\n \"kind\": \"ConfigMap\",\n \"metadata\": {\n \"name\": \"metadata-grpc-configmap\",\n \"namespace\": namespace,\n },\n \"data\": {\n \"METADATA_GRPC_SERVICE_HOST\":\n \"metadata-grpc-service.kubeflow\",\n \"METADATA_GRPC_SERVICE_PORT\": \"8080\",\n },\n },\n # Visualization server related manifests below\n {\n \"apiVersion\": \"apps/v1\",\n \"kind\": \"Deployment\",\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n },\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"selector\": {\n \"matchLabels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n },\n },\n \"template\": {\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n },\n \"annotations\": disable_istio_sidecar and {\n \"sidecar.istio.io/inject\": \"false\"\n } or {},\n },\n \"spec\": {\n \"containers\": [{\n \"image\":\n \"gcr.io/ml-pipeline/visualization-server:\" +\n kfp_version,\n \"imagePullPolicy\":\n \"IfNotPresent\",\n \"name\":\n \"ml-pipeline-visualizationserver\",\n \"ports\": [{\n \"containerPort\": 8888\n }],\n \"resources\": {\n \"requests\": {\n \"cpu\": \"50m\",\n \"memory\": \"200Mi\"\n },\n \"limits\": {\n \"cpu\": \"500m\",\n \"memory\": \"1Gi\"\n },\n }\n }],\n \"serviceAccountName\":\n \"default-editor\",\n },\n },\n },\n },\n {\n \"apiVersion\": \"networking.istio.io/v1alpha3\",\n \"kind\": \"DestinationRule\",\n \"metadata\": {\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"host\": \"ml-pipeline-visualizationserver\",\n \"trafficPolicy\": {\n \"tls\": {\n \"mode\": \"ISTIO_MUTUAL\"\n }\n }\n }\n },\n {\n \"apiVersion\": \"security.istio.io/v1beta1\",\n \"kind\": \"AuthorizationPolicy\",\n \"metadata\": {\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"selector\": {\n \"matchLabels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n }\n },\n \"rules\": [{\n \"from\": [{\n \"source\": {\n \"principals\": [\"cluster.local/ns/kubeflow/sa/ml-pipeline\"]\n }\n }]\n }]\n }\n },\n {\n \"apiVersion\": \"v1\",\n \"kind\": \"Service\",\n \"metadata\": {\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"ports\": [{\n \"name\": \"http\",\n \"port\": 8888,\n \"protocol\": \"TCP\",\n \"targetPort\": 8888,\n }],\n \"selector\": {\n \"app\": \"ml-pipeline-visualizationserver\",\n },\n },\n },\n # Artifact fetcher related resources below.\n {\n \"apiVersion\": \"apps/v1\",\n \"kind\": \"Deployment\",\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n },\n \"name\": \"ml-pipeline-ui-artifact\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"selector\": {\n \"matchLabels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n }\n },\n \"template\": {\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n },\n \"annotations\": disable_istio_sidecar and {\n \"sidecar.istio.io/inject\": \"false\"\n } or {},\n },\n \"spec\": {\n \"containers\": [{\n \"name\":\n \"ml-pipeline-ui-artifact\",\n \"image\":\n \"gcr.io/ml-pipeline/frontend:\" + kfp_version,\n \"imagePullPolicy\":\n \"IfNotPresent\",\n \"ports\": [{\n \"containerPort\": 3000\n }],\n \"resources\": {\n \"requests\": {\n \"cpu\": \"10m\",\n \"memory\": \"70Mi\"\n },\n \"limits\": {\n \"cpu\": \"100m\",\n \"memory\": \"500Mi\"\n },\n }\n }],\n \"serviceAccountName\":\n \"default-editor\"\n }\n }\n }\n },\n {\n \"apiVersion\": \"v1\",\n \"kind\": \"Service\",\n \"metadata\": {\n \"name\": \"ml-pipeline-ui-artifact\",\n \"namespace\": namespace,\n \"labels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n }\n },\n \"spec\": {\n \"ports\": [{\n \"name\":\n \"http\", # name is required to let istio understand request protocol\n \"port\": 80,\n \"protocol\": \"TCP\",\n \"targetPort\": 3000\n }],\n \"selector\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n }\n }\n },\n ]\n print('Received request:', parent)\n print('Desired resources except secrets:', desired_resources)\n # Moved after the print argument because this is sensitive data.\n desired_resources.append({\n \"apiVersion\": \"v1\",\n \"kind\": \"Secret\",\n \"metadata\": {\n \"name\": \"mlpipeline-minio-artifact\",\n \"namespace\": namespace,\n },\n \"data\": {\n \"accesskey\": mlpipeline_minio_access_key,\n \"secretkey\": mlpipeline_minio_secret_key,\n },\n })\n\n return {\"status\": desired_status, \"children\": desired_resources}\n\n def do_POST(self):\n # Serve the sync() function as a JSON webhook.\n observed = json.loads(\n self.rfile.read(int(self.headers.get(\"content-length\"))))\n desired = self.sync(observed[\"parent\"], observed[\"children\"])\n\n self.send_response(200)\n self.send_header(\"Content-type\", \"application/json\")\n self.end_headers()\n self.wfile.write(bytes(json.dumps(desired), 'utf-8'))\n\n\n HTTPServer((\"\", 8080), Controller).serve_forever()\nkind: ConfigMap\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n DISABLE_ISTIO_SIDECAR: \"false\"\nkind: ConfigMap\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller-env-5252m69c4c\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n METADATA_GRPC_SERVICE_HOST: metadata-grpc-service\n METADATA_GRPC_SERVICE_PORT: \"8080\"\nkind: ConfigMap\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n component: metadata-grpc-server\n name: metadata-grpc-configmap\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n viewer-pod-template.json: |-\n {\n \"spec\": {\n \"serviceAccountName\": \"default-editor\"\n }\n }\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui-configmap\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n DEFAULTPIPELINERUNNERSERVICEACCOUNT: default-editor\n MULTIUSER: \"true\"\n VISUALIZATIONSERVICE_NAME: ml-pipeline-visualizationserver\n VISUALIZATIONSERVICE_PORT: \"8888\"\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: pipeline-api-server-config-dc9hkg52h6\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n appName: pipeline\n appVersion: 1.5.0-rc.2\n autoUpdatePipelineDefaultVersion: \"true\"\n bucketName: mlpipeline\n cacheDb: cachedb\n cacheImage: gcr.io/google-containers/busybox\n cronScheduleTimezone: UTC\n dbHost: mysql\n dbPort: \"3306\"\n mlmdDb: metadb\n pipelineDb: mlpipeline\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: pipeline-install-config\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n artifactRepository: |\n archiveLogs: true\n s3:\n endpoint: \"minio-service.kubeflow:9000\"\n bucket: \"mlpipeline\"\n keyFormat: \"artifacts/{{workflow.name}}/{{pod.name}}\"\n # insecure will disable TLS. Primarily used for minio installs not configured with TLS\n insecure: true\n accessKeySecret:\n name: mlpipeline-minio-artifact\n key: accesskey\n secretKeySecret:\n name: mlpipeline-minio-artifact\n key: secretkey\n containerRuntimeExecutor: docker\nkind: ConfigMap\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflow-controller-configmap\n namespace: kubeflow\n---\napiVersion: v1\nkind: Secret\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: mlpipeline-minio-artifact\n namespace: kubeflow\nstringData:\n accesskey: minio\n secretkey: minio123\n---\napiVersion: v1\nkind: Secret\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: mysql-secret\n namespace: kubeflow\nstringData:\n password: \"\"\n username: root\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: cache-server\n namespace: kubeflow\nspec:\n ports:\n - port: 443\n targetPort: webhook-api\n selector:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 8080\n selector:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: metadata-envoy\n application-crd-id: kubeflow-pipelines\n name: metadata-envoy-service\n namespace: kubeflow\nspec:\n ports:\n - name: md-envoy\n port: 9090\n protocol: TCP\n selector:\n application-crd-id: kubeflow-pipelines\n component: metadata-envoy\n type: ClusterIP\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: metadata\n application-crd-id: kubeflow-pipelines\n name: metadata-grpc-service\n namespace: kubeflow\nspec:\n ports:\n - name: grpc-api\n port: 8080\n protocol: TCP\n selector:\n application-crd-id: kubeflow-pipelines\n component: metadata-grpc-server\n type: ClusterIP\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: minio-service\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 9000\n protocol: TCP\n targetPort: 9000\n selector:\n app: minio\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 8888\n protocol: TCP\n targetPort: 8888\n - name: grpc\n port: 8887\n protocol: TCP\n targetPort: 8887\n selector:\n app: ml-pipeline\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 3000\n selector:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-visualizationserver\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 8888\n protocol: TCP\n targetPort: 8888\n selector:\n app: ml-pipeline-visualizationserver\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: mysql\n namespace: kubeflow\nspec:\n ports:\n - port: 3306\n protocol: TCP\n targetPort: 3306\n selector:\n app: mysql\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflow-controller-metrics\n namespace: kubeflow\nspec:\n ports:\n - name: metrics\n port: 9090\n protocol: TCP\n targetPort: 9090\n selector:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n---\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: minio-pvc\n namespace: kubeflow\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 20Gi\n---\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: mysql-pv-claim\n namespace: kubeflow\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 20Gi\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cache-deployer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: cache-deployer-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: cache-deployer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n strategy:\n type: Recreate\n template:\n metadata:\n labels:\n app: cache-deployer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: NAMESPACE_TO_WATCH\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-cache-deployer:1.5.0-rc.2-deb1e\n imagePullPolicy: Always\n name: main\n restartPolicy: Always\n serviceAccountName: kubeflow-pipelines-cache-deployer-sa\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: cache-server\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --db_driver=$(DBCONFIG_DRIVER)\n - --db_host=$(DBCONFIG_HOST_NAME)\n - --db_port=$(DBCONFIG_PORT)\n - --db_name=$(DBCONFIG_DB_NAME)\n - --db_user=$(DBCONFIG_USER)\n - --db_password=$(DBCONFIG_PASSWORD)\n - --namespace_to_watch=$(NAMESPACE_TO_WATCH)\n env:\n - name: NAMESPACE_TO_WATCH\n value: \"\"\n - name: CACHE_IMAGE\n valueFrom:\n configMapKeyRef:\n key: cacheImage\n name: pipeline-install-config\n - name: DBCONFIG_DRIVER\n value: mysql\n - name: DBCONFIG_DB_NAME\n valueFrom:\n configMapKeyRef:\n key: cacheDb\n name: pipeline-install-config\n - name: DBCONFIG_HOST_NAME\n valueFrom:\n configMapKeyRef:\n key: dbHost\n name: pipeline-install-config\n - name: DBCONFIG_PORT\n valueFrom:\n configMapKeyRef:\n key: dbPort\n name: pipeline-install-config\n - name: DBCONFIG_USER\n valueFrom:\n secretKeyRef:\n key: username\n name: mysql-secret\n - name: DBCONFIG_PASSWORD\n valueFrom:\n secretKeyRef:\n key: password\n name: mysql-secret\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-cache-server:1.5.0-rc.2-a44df\n imagePullPolicy: Always\n name: server\n ports:\n - containerPort: 8443\n name: webhook-api\n volumeMounts:\n - mountPath: /etc/webhook/certs\n name: webhook-tls-certs\n readOnly: true\n serviceAccountName: kubeflow-pipelines-cache\n volumes:\n - name: webhook-tls-certs\n secret:\n secretName: webhook-server-tls\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - command:\n - python\n - /hooks/sync.py\n env:\n - name: KFP_VERSION\n valueFrom:\n configMapKeyRef:\n key: appVersion\n name: pipeline-install-config\n - name: MINIO_ACCESS_KEY\n valueFrom:\n secretKeyRef:\n key: accesskey\n name: mlpipeline-minio-artifact\n - name: MINIO_SECRET_KEY\n valueFrom:\n secretKeyRef:\n key: secretkey\n name: mlpipeline-minio-artifact\n envFrom:\n - configMapRef:\n name: kubeflow-pipelines-profile-controller-env-5252m69c4c\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/python:3.7-3a781\n name: profile-controller\n ports:\n - containerPort: 8080\n volumeMounts:\n - mountPath: /hooks\n name: hooks\n volumes:\n - configMap:\n name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4\n name: hooks\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n component: metadata-envoy\n name: metadata-envoy-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n application-crd-id: kubeflow-pipelines\n component: metadata-envoy\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n application-crd-id: kubeflow-pipelines\n component: metadata-envoy\n spec:\n containers:\n - image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-metadata-envoy:1.5.0-rc.2-050d1\n name: container\n ports:\n - containerPort: 9090\n name: md-envoy\n - containerPort: 9901\n name: envoy-admin\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n component: metadata-grpc-server\n name: metadata-grpc-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n application-crd-id: kubeflow-pipelines\n component: metadata-grpc-server\n template:\n metadata:\n labels:\n application-crd-id: kubeflow-pipelines\n component: metadata-grpc-server\n spec:\n containers:\n - args:\n - --grpc_port=8080\n - --mysql_config_database=$(MYSQL_DATABASE)\n - --mysql_config_host=$(MYSQL_HOST)\n - --mysql_config_port=$(MYSQL_PORT)\n - --mysql_config_user=$(DBCONFIG_USER)\n - --mysql_config_password=$(DBCONFIG_PASSWORD)\n - --enable_database_upgrade=true\n command:\n - /bin/metadata_store_server\n env:\n - name: DBCONFIG_USER\n valueFrom:\n secretKeyRef:\n key: username\n name: mysql-secret\n - name: DBCONFIG_PASSWORD\n valueFrom:\n secretKeyRef:\n key: password\n name: mysql-secret\n - name: MYSQL_DATABASE\n valueFrom:\n configMapKeyRef:\n key: mlmdDb\n name: pipeline-install-config\n - name: MYSQL_HOST\n valueFrom:\n configMapKeyRef:\n key: dbHost\n name: pipeline-install-config\n - name: MYSQL_PORT\n valueFrom:\n configMapKeyRef:\n key: dbPort\n name: pipeline-install-config\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/tfx-oss-public-ml_metadata_store_server:0.25.1-66134\n livenessProbe:\n initialDelaySeconds: 3\n periodSeconds: 5\n tcpSocket:\n port: grpc-api\n timeoutSeconds: 2\n name: container\n ports:\n - containerPort: 8080\n name: grpc-api\n readinessProbe:\n initialDelaySeconds: 3\n periodSeconds: 5\n tcpSocket:\n port: grpc-api\n timeoutSeconds: 2\n serviceAccountName: metadata-grpc-server\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: metadata-writer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: metadata-writer\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: metadata-writer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n labels:\n app: metadata-writer\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: NAMESPACE_TO_WATCH\n value: \"\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-metadata-writer:1.5.0-rc.2-6e1cc\n name: main\n serviceAccountName: kubeflow-pipelines-metadata-writer\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: minio\n application-crd-id: kubeflow-pipelines\n name: minio\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: minio\n application-crd-id: kubeflow-pipelines\n strategy:\n type: Recreate\n template:\n metadata:\n labels:\n app: minio\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - server\n - /data\n env:\n - name: MINIO_ACCESS_KEY\n valueFrom:\n secretKeyRef:\n key: accesskey\n name: mlpipeline-minio-artifact\n - name: MINIO_SECRET_KEY\n valueFrom:\n secretKeyRef:\n key: secretkey\n name: mlpipeline-minio-artifact\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-minio:RELEASE.2019-08-14T20-37-41Z-license-compliance-290a7\n name: minio\n ports:\n - containerPort: 9000\n resources:\n requests:\n cpu: 20m\n memory: 100Mi\n volumeMounts:\n - mountPath: /data\n name: data\n subPath: minio\n volumes:\n - name: data\n persistentVolumeClaim:\n claimName: minio-pvc\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: ml-pipeline\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: ml-pipeline\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: ml-pipeline\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: KUBEFLOW_USERID_HEADER\n value: kubeflow-userid\n - name: KUBEFLOW_USERID_PREFIX\n value: \"\"\n - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION\n valueFrom:\n configMapKeyRef:\n key: autoUpdatePipelineDefaultVersion\n name: pipeline-install-config\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: OBJECTSTORECONFIG_SECURE\n value: \"false\"\n - name: OBJECTSTORECONFIG_BUCKETNAME\n valueFrom:\n configMapKeyRef:\n key: bucketName\n name: pipeline-install-config\n - name: DBCONFIG_USER\n valueFrom:\n secretKeyRef:\n key: username\n name: mysql-secret\n - name: DBCONFIG_PASSWORD\n valueFrom:\n secretKeyRef:\n key: password\n name: mysql-secret\n - name: DBCONFIG_DBNAME\n valueFrom:\n configMapKeyRef:\n key: pipelineDb\n name: pipeline-install-config\n - name: DBCONFIG_HOST\n valueFrom:\n configMapKeyRef:\n key: dbHost\n name: pipeline-install-config\n - name: DBCONFIG_PORT\n valueFrom:\n configMapKeyRef:\n key: dbPort\n name: pipeline-install-config\n - name: OBJECTSTORECONFIG_ACCESSKEY\n valueFrom:\n secretKeyRef:\n key: accesskey\n name: mlpipeline-minio-artifact\n - name: OBJECTSTORECONFIG_SECRETACCESSKEY\n valueFrom:\n secretKeyRef:\n key: secretkey\n name: mlpipeline-minio-artifact\n envFrom:\n - configMapRef:\n name: pipeline-api-server-config-dc9hkg52h6\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-api-server:1.5.0-rc.2-081bf\n imagePullPolicy: IfNotPresent\n livenessProbe:\n exec:\n command:\n - wget\n - -q\n - -S\n - -O\n - '-'\n - http://localhost:8888/apis/v1beta1/healthz\n initialDelaySeconds: 3\n periodSeconds: 5\n timeoutSeconds: 2\n name: ml-pipeline-api-server\n ports:\n - containerPort: 8888\n name: http\n - containerPort: 8887\n name: grpc\n readinessProbe:\n exec:\n command:\n - wget\n - -q\n - -S\n - -O\n - '-'\n - http://localhost:8888/apis/v1beta1/healthz\n initialDelaySeconds: 3\n periodSeconds: 5\n timeoutSeconds: 2\n resources:\n requests:\n cpu: 250m\n memory: 500Mi\n serviceAccountName: ml-pipeline\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: ml-pipeline-persistenceagent\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-persistenceagent\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: ml-pipeline-persistenceagent\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: ml-pipeline-persistenceagent\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: NAMESPACE\n value: \"\"\n - name: TTL_SECONDS_AFTER_WORKFLOW_FINISH\n value: \"86400\"\n - name: NUM_WORKERS\n value: \"2\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-persistenceagent:1.5.0-rc.2-afb97\n imagePullPolicy: IfNotPresent\n name: ml-pipeline-persistenceagent\n resources:\n requests:\n cpu: 120m\n memory: 500Mi\n serviceAccountName: ml-pipeline-persistenceagent\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: ml-pipeline-scheduledworkflow\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-scheduledworkflow\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: ml-pipeline-scheduledworkflow\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: ml-pipeline-scheduledworkflow\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: NAMESPACE\n value: \"\"\n - name: CRON_SCHEDULE_TIMEZONE\n valueFrom:\n configMapKeyRef:\n key: cronScheduleTimezone\n name: pipeline-install-config\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-scheduledworkflow:1.5.0-rc.2-d9b87\n imagePullPolicy: IfNotPresent\n name: ml-pipeline-scheduledworkflow\n serviceAccountName: ml-pipeline-scheduledworkflow\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: ml-pipeline-ui\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH\n value: /etc/config/viewer-pod-template.json\n - name: DEPLOYMENT\n value: KUBEFLOW\n - name: ARTIFACTS_SERVICE_PROXY_NAME\n value: ml-pipeline-ui-artifact\n - name: ARTIFACTS_SERVICE_PROXY_PORT\n value: \"80\"\n - name: ARTIFACTS_SERVICE_PROXY_ENABLED\n value: \"true\"\n - name: ENABLE_AUTHZ\n value: \"true\"\n - name: KUBEFLOW_USERID_HEADER\n value: kubeflow-userid\n - name: KUBEFLOW_USERID_PREFIX\n value: \"\"\n - name: MINIO_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: MINIO_ACCESS_KEY\n valueFrom:\n secretKeyRef:\n key: accesskey\n name: mlpipeline-minio-artifact\n - name: MINIO_SECRET_KEY\n valueFrom:\n secretKeyRef:\n key: secretkey\n name: mlpipeline-minio-artifact\n - name: ALLOW_CUSTOM_VISUALIZATIONS\n value: \"true\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-frontend:1.5.0-rc.2-34ae9\n imagePullPolicy: IfNotPresent\n livenessProbe:\n exec:\n command:\n - wget\n - -q\n - -S\n - -O\n - '-'\n - http://localhost:3000/apis/v1beta1/healthz\n initialDelaySeconds: 3\n periodSeconds: 5\n timeoutSeconds: 2\n name: ml-pipeline-ui\n ports:\n - containerPort: 3000\n readinessProbe:\n exec:\n command:\n - wget\n - -q\n - -S\n - -O\n - '-'\n - http://localhost:3000/apis/v1beta1/healthz\n initialDelaySeconds: 3\n periodSeconds: 5\n timeoutSeconds: 2\n resources:\n requests:\n cpu: 10m\n memory: 70Mi\n volumeMounts:\n - mountPath: /etc/config\n name: config-volume\n readOnly: true\n serviceAccountName: ml-pipeline-ui\n volumes:\n - configMap:\n name: ml-pipeline-ui-configmap\n name: config-volume\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: ml-pipeline-viewer-crd\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-viewer-crd\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: ml-pipeline-viewer-crd\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: ml-pipeline-viewer-crd\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - env:\n - name: NAMESPACE\n value: \"\"\n - name: MAX_NUM_VIEWERS\n value: \"50\"\n - name: MINIO_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-viewer-crd-controller:1.5.0-rc.2-4a500\n imagePullPolicy: Always\n name: ml-pipeline-viewer-crd\n serviceAccountName: ml-pipeline-viewer-crd-service-account\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: ml-pipeline-visualizationserver\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-visualizationserver\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: ml-pipeline-visualizationserver\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n cluster-autoscaler.kubernetes.io/safe-to-evict: \"true\"\n labels:\n app: ml-pipeline-visualizationserver\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-visualization-server:1.5.0-rc.2-03636\n imagePullPolicy: IfNotPresent\n livenessProbe:\n exec:\n command:\n - wget\n - -q\n - -S\n - -O\n - '-'\n - http://localhost:8888/\n initialDelaySeconds: 3\n periodSeconds: 5\n timeoutSeconds: 2\n name: ml-pipeline-visualizationserver\n ports:\n - containerPort: 8888\n name: http\n readinessProbe:\n exec:\n command:\n - wget\n - -q\n - -S\n - -O\n - '-'\n - http://localhost:8888/\n initialDelaySeconds: 3\n periodSeconds: 5\n timeoutSeconds: 2\n resources:\n requests:\n cpu: 30m\n memory: 500Mi\n serviceAccountName: ml-pipeline-visualizationserver\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: mysql\n application-crd-id: kubeflow-pipelines\n name: mysql\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: mysql\n application-crd-id: kubeflow-pipelines\n strategy:\n type: Recreate\n template:\n metadata:\n labels:\n app: mysql\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --ignore-db-dir=lost+found\n - --datadir\n - /var/lib/mysql\n env:\n - name: MYSQL_ALLOW_EMPTY_PASSWORD\n value: \"true\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-mysql:5.7-f8fcd\n name: mysql\n ports:\n - containerPort: 3306\n name: mysql\n resources:\n requests:\n cpu: 100m\n memory: 800Mi\n volumeMounts:\n - mountPath: /var/lib/mysql\n name: mysql-persistent-storage\n serviceAccountName: mysql\n volumes:\n - name: mysql-persistent-storage\n persistentVolumeClaim:\n claimName: mysql-pv-claim\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflow-controller\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n labels:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --configmap\n - workflow-controller-configmap\n - --executor-image\n - gcr.io/ml-pipeline/argoexec:v2.12.9-license-compliance\n command:\n - workflow-controller\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-workflow-controller:v2.12.9-license-compliance-2d9c1\n livenessProbe:\n httpGet:\n path: /metrics\n port: metrics\n initialDelaySeconds: 30\n periodSeconds: 30\n name: workflow-controller\n ports:\n - containerPort: 9090\n name: metrics\n resources:\n requests:\n cpu: 100m\n memory: 500Mi\n nodeSelector:\n kubernetes.io/os: linux\n securityContext:\n runAsNonRoot: true\n serviceAccountName: argo\n---\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n labels:\n app: metacontroller\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n name: metacontroller\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: metacontroller\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n serviceName: \"\"\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: metacontroller\n application-crd-id: kubeflow-pipelines\n kustomize.component: metacontroller\n spec:\n containers:\n - command:\n - /usr/bin/metacontroller\n - --logtostderr\n - -v=4\n - --discovery-interval=20s\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/metacontroller-metacontroller:v0.3.0-5f0e4\n imagePullPolicy: Always\n name: metacontroller\n ports:\n - containerPort: 2345\n resources:\n limits:\n cpu: \"4\"\n memory: 4Gi\n requests:\n cpu: 500m\n memory: 1Gi\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n serviceAccountName: meta-controller-service\n volumeClaimTemplates: []\n---\napiVersion: metacontroller.k8s.io/v1alpha1\nkind: CompositeController\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller\n namespace: kubeflow\nspec:\n childResources:\n - apiVersion: v1\n resource: secrets\n updateStrategy:\n method: OnDelete\n - apiVersion: v1\n resource: configmaps\n updateStrategy:\n method: OnDelete\n - apiVersion: apps/v1\n resource: deployments\n updateStrategy:\n method: InPlace\n - apiVersion: v1\n resource: services\n updateStrategy:\n method: InPlace\n - apiVersion: networking.istio.io/v1alpha3\n resource: destinationrules\n updateStrategy:\n method: InPlace\n - apiVersion: security.istio.io/v1beta1\n resource: authorizationpolicies\n updateStrategy:\n method: InPlace\n generateSelector: true\n hooks:\n sync:\n webhook:\n url: http://kubeflow-pipelines-profile-controller/sync\n parentResource:\n apiVersion: v1\n resource: namespaces\n resyncPeriodSeconds: 10\n---\napiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\nspec:\n host: ml-pipeline.kubeflow.svc.cluster.local\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\napiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-minio\n namespace: kubeflow\nspec:\n host: minio-service.kubeflow.svc.cluster.local\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\napiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-mysql\n namespace: kubeflow\nspec:\n host: mysql.kubeflow.svc.cluster.local\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\napiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nspec:\n host: ml-pipeline-ui.kubeflow.svc.cluster.local\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\napiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-visualizationserver\n namespace: kubeflow\nspec:\n host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: metadata-grpc\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - match:\n - uri:\n prefix: /ml_metadata\n rewrite:\n uri: /ml_metadata\n route:\n - destination:\n host: ml-pipeline-ui.kubeflow.svc.cluster.local\n port:\n number: 80\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - match:\n - uri:\n prefix: /pipeline\n rewrite:\n uri: /pipeline\n route:\n - destination:\n host: ml-pipeline-ui.kubeflow.svc.cluster.local\n port:\n number: 80\n timeout: 300s\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: metadata-grpc-service\n namespace: kubeflow\nspec:\n action: ALLOW\n rules:\n - {}\n selector:\n matchLabels:\n component: metadata-grpc-server\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: minio-service\n namespace: kubeflow\nspec:\n action: ALLOW\n rules:\n - from:\n - source:\n principals:\n - cluster.local/ns/kubeflow/sa/ml-pipeline\n - from:\n - source:\n principals:\n - cluster.local/ns/kubeflow/sa/ml-pipeline-ui\n - {}\n selector:\n matchLabels:\n app: minio\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline\n namespace: kubeflow\nspec:\n rules:\n - from:\n - source:\n principals:\n - cluster.local/ns/kubeflow/sa/ml-pipeline\n - cluster.local/ns/kubeflow/sa/ml-pipeline-ui\n - cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent\n - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow\n - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account\n - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache\n - when:\n - key: request.headers[kubeflow-userid]\n notValues:\n - '*'\n selector:\n matchLabels:\n app: ml-pipeline\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-ui\n namespace: kubeflow\nspec:\n rules:\n - from:\n - source:\n namespaces:\n - istio-system\n selector:\n matchLabels:\n app: ml-pipeline-ui\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: ml-pipeline-visualizationserver\n namespace: kubeflow\nspec:\n rules:\n - from:\n - source:\n principals:\n - cluster.local/ns/kubeflow/sa/ml-pipeline\n - cluster.local/ns/kubeflow/sa/ml-pipeline-ui\n - cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent\n - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow\n - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account\n - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache\n selector:\n matchLabels:\n app: ml-pipeline-visualizationserver\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: mysql\n namespace: kubeflow\nspec:\n rules:\n - from:\n - source:\n principals:\n - cluster.local/ns/kubeflow/sa/ml-pipeline\n - cluster.local/ns/kubeflow/sa/ml-pipeline-ui\n - cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent\n - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow\n - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account\n - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache\n - cluster.local/ns/kubeflow/sa/metadata-grpc-server\n selector:\n matchLabels:\n app: mysql\n---\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: service-cache-server\n namespace: kubeflow\nspec:\n rules:\n - {}\n selector:\n matchLabels:\n app: cache-server\n"
},
{
"path": "manifest1.3/018-kfserving-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/serving-cert\n controller-gen.kubebuilder.io/version: v0.3.1-0.20200528125929-5c0c6ae3b64b\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: inferenceservices.serving.kubeflow.org\nspec:\n conversion:\n conversionReviewVersions:\n - v1alpha2\n - v1beta1\n strategy: Webhook\n webhookClientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /convert\n group: serving.kubeflow.org\n names:\n kind: InferenceService\n listKind: InferenceServiceList\n plural: inferenceservices\n shortNames:\n - isvc\n singular: inferenceservice\n preserveUnknownFields: false\n scope: Namespaced\n subresources:\n status: {}\n version: v1alpha2\n versions:\n - additionalPrinterColumns:\n - JSONPath: .status.url\n name: URL\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.traffic\n name: Default Traffic\n type: integer\n - JSONPath: .status.canaryTraffic\n name: Canary Traffic\n type: integer\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n name: v1alpha2\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n canary:\n properties:\n explainer:\n properties:\n aix:\n properties:\n config:\n additionalProperties:\n type: string\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n alibi:\n properties:\n config:\n additionalProperties:\n type: string\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n custom:\n properties:\n container:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n required:\n - container\n type: object\n logger:\n properties:\n mode:\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n parallelism:\n type: integer\n serviceAccountName:\n type: string\n type: object\n predictor:\n properties:\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n custom:\n properties:\n container:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n required:\n - container\n type: object\n lightgbm:\n properties:\n nthread:\n type: integer\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n logger:\n properties:\n mode:\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n onnx:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n parallelism:\n type: integer\n pmml:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n pytorch:\n properties:\n modelClassName:\n type: string\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n serviceAccountName:\n type: string\n sklearn:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n tensorflow:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n triton:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n xgboost:\n properties:\n nthread:\n type: integer\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n type: object\n transformer:\n properties:\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n custom:\n properties:\n container:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n required:\n - container\n type: object\n logger:\n properties:\n mode:\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n parallelism:\n type: integer\n serviceAccountName:\n type: string\n type: object\n required:\n - predictor\n type: object\n canaryTrafficPercent:\n type: integer\n default:\n properties:\n explainer:\n properties:\n aix:\n properties:\n config:\n additionalProperties:\n type: string\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n alibi:\n properties:\n config:\n additionalProperties:\n type: string\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n custom:\n properties:\n container:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n required:\n - container\n type: object\n logger:\n properties:\n mode:\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n parallelism:\n type: integer\n serviceAccountName:\n type: string\n type: object\n predictor:\n properties:\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n custom:\n properties:\n container:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n required:\n - container\n type: object\n lightgbm:\n properties:\n nthread:\n type: integer\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n logger:\n properties:\n mode:\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n onnx:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n parallelism:\n type: integer\n pmml:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n pytorch:\n properties:\n modelClassName:\n type: string\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n serviceAccountName:\n type: string\n sklearn:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n tensorflow:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n triton:\n properties:\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n xgboost:\n properties:\n nthread:\n type: integer\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n storageUri:\n type: string\n required:\n - storageUri\n type: object\n type: object\n transformer:\n properties:\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n custom:\n properties:\n container:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n required:\n - container\n type: object\n logger:\n properties:\n mode:\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n parallelism:\n type: integer\n serviceAccountName:\n type: string\n type: object\n required:\n - predictor\n type: object\n required:\n - default\n type: object\n status:\n properties:\n address:\n properties:\n url:\n type: string\n type: object\n annotations:\n additionalProperties:\n type: string\n type: object\n canary:\n additionalProperties:\n properties:\n host:\n type: string\n name:\n type: string\n type: object\n type: object\n canaryTraffic:\n type: integer\n conditions:\n items:\n properties:\n lastTransitionTime:\n type: string\n message:\n type: string\n reason:\n type: string\n severity:\n type: string\n status:\n type: string\n type:\n type: string\n required:\n - status\n - type\n type: object\n type: array\n default:\n additionalProperties:\n properties:\n host:\n type: string\n name:\n type: string\n type: object\n type: object\n observedGeneration:\n format: int64\n type: integer\n traffic:\n type: integer\n url:\n type: string\n type: object\n type: object\n served: true\n storage: false\n - additionalPrinterColumns:\n - JSONPath: .status.url\n name: URL\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .status.components.predictor.traffic[?(@.tag=='prev')].percent\n name: Prev\n type: integer\n - JSONPath: .status.components.predictor.traffic[?(@.latestRevision==true)].percent\n name: Latest\n type: integer\n - JSONPath: .status.components.predictor.traffic[?(@.tag=='prev')].revisionName\n name: PrevRolledoutRevision\n type: string\n - JSONPath: .status.components.predictor.traffic[?(@.latestRevision==true)].revisionName\n name: LatestReadyRevision\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n name: v1beta1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n explainer:\n properties:\n activeDeadlineSeconds:\n format: int64\n type: integer\n affinity:\n properties:\n nodeAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n preference:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n properties:\n nodeSelectorTerms:\n items:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n podAffinityTerm:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n weight:\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n podAffinityTerm:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n weight:\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n aix:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n config:\n additionalProperties:\n type: string\n type: object\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n type:\n type: string\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n alibi:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n config:\n additionalProperties:\n type: string\n type: object\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n type:\n type: string\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n art:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n config:\n additionalProperties:\n type: string\n type: object\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n type:\n type: string\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n automountServiceAccountToken:\n type: boolean\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n canaryTrafficPercent:\n format: int64\n type: integer\n containerConcurrency:\n format: int64\n type: integer\n containers:\n items:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n type: array\n dnsConfig:\n properties:\n nameservers:\n items:\n type: string\n type: array\n options:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n type: object\n type: array\n searches:\n items:\n type: string\n type: array\n type: object\n dnsPolicy:\n type: string\n enableServiceLinks:\n type: boolean\n hostAliases:\n items:\n properties:\n hostnames:\n items:\n type: string\n type: array\n ip:\n type: string\n type: object\n type: array\n hostIPC:\n type: boolean\n hostNetwork:\n type: boolean\n hostPID:\n type: boolean\n hostname:\n type: string\n imagePullSecrets:\n items:\n properties:\n name:\n type: string\n type: object\n type: array\n logger:\n properties:\n mode:\n enum:\n - all\n - request\n - response\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n nodeName:\n type: string\n nodeSelector:\n additionalProperties:\n type: string\n type: object\n overhead:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n preemptionPolicy:\n type: string\n priority:\n format: int32\n type: integer\n priorityClassName:\n type: string\n readinessGates:\n items:\n properties:\n conditionType:\n type: string\n required:\n - conditionType\n type: object\n type: array\n restartPolicy:\n type: string\n runtimeClassName:\n type: string\n schedulerName:\n type: string\n securityContext:\n properties:\n fsGroup:\n format: int64\n type: integer\n fsGroupChangePolicy:\n type: string\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n supplementalGroups:\n items:\n format: int64\n type: integer\n type: array\n sysctls:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n serviceAccount:\n type: string\n serviceAccountName:\n type: string\n setHostnameAsFQDN:\n type: boolean\n shareProcessNamespace:\n type: boolean\n subdomain:\n type: string\n terminationGracePeriodSeconds:\n format: int64\n type: integer\n timeout:\n format: int64\n type: integer\n tolerations:\n items:\n properties:\n effect:\n type: string\n key:\n type: string\n operator:\n type: string\n tolerationSeconds:\n format: int64\n type: integer\n value:\n type: string\n type: object\n type: array\n topologySpreadConstraints:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n maxSkew:\n format: int32\n type: integer\n topologyKey:\n type: string\n whenUnsatisfiable:\n type: string\n required:\n - maxSkew\n - topologyKey\n - whenUnsatisfiable\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - topologyKey\n - whenUnsatisfiable\n x-kubernetes-list-type: map\n volumes:\n items:\n properties:\n awsElasticBlockStore:\n properties:\n fsType:\n type: string\n partition:\n format: int32\n type: integer\n readOnly:\n type: boolean\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n azureDisk:\n properties:\n cachingMode:\n type: string\n diskName:\n type: string\n diskURI:\n type: string\n fsType:\n type: string\n kind:\n type: string\n readOnly:\n type: boolean\n required:\n - diskName\n - diskURI\n type: object\n azureFile:\n properties:\n readOnly:\n type: boolean\n secretName:\n type: string\n shareName:\n type: string\n required:\n - secretName\n - shareName\n type: object\n cephfs:\n properties:\n monitors:\n items:\n type: string\n type: array\n path:\n type: string\n readOnly:\n type: boolean\n secretFile:\n type: string\n secretRef:\n properties:\n name:\n type: string\n type: object\n user:\n type: string\n required:\n - monitors\n type: object\n cinder:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n configMap:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n csi:\n properties:\n driver:\n type: string\n fsType:\n type: string\n nodePublishSecretRef:\n properties:\n name:\n type: string\n type: object\n readOnly:\n type: boolean\n volumeAttributes:\n additionalProperties:\n type: string\n type: object\n required:\n - driver\n type: object\n downwardAPI:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n mode:\n format: int32\n type: integer\n path:\n type: string\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n emptyDir:\n properties:\n medium:\n type: string\n sizeLimit:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n ephemeral:\n properties:\n readOnly:\n type: boolean\n volumeClaimTemplate:\n properties:\n metadata:\n type: object\n spec:\n properties:\n accessModes:\n items:\n type: string\n type: array\n dataSource:\n properties:\n apiGroup:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - kind\n - name\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n selector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n storageClassName:\n type: string\n volumeMode:\n type: string\n volumeName:\n type: string\n type: object\n required:\n - spec\n type: object\n type: object\n fc:\n properties:\n fsType:\n type: string\n lun:\n format: int32\n type: integer\n readOnly:\n type: boolean\n targetWWNs:\n items:\n type: string\n type: array\n wwids:\n items:\n type: string\n type: array\n type: object\n flexVolume:\n properties:\n driver:\n type: string\n fsType:\n type: string\n options:\n additionalProperties:\n type: string\n type: object\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n required:\n - driver\n type: object\n flocker:\n properties:\n datasetName:\n type: string\n datasetUUID:\n type: string\n type: object\n gcePersistentDisk:\n properties:\n fsType:\n type: string\n partition:\n format: int32\n type: integer\n pdName:\n type: string\n readOnly:\n type: boolean\n required:\n - pdName\n type: object\n gitRepo:\n properties:\n directory:\n type: string\n repository:\n type: string\n revision:\n type: string\n required:\n - repository\n type: object\n glusterfs:\n properties:\n endpoints:\n type: string\n path:\n type: string\n readOnly:\n type: boolean\n required:\n - endpoints\n - path\n type: object\n hostPath:\n properties:\n path:\n type: string\n type:\n type: string\n required:\n - path\n type: object\n iscsi:\n properties:\n chapAuthDiscovery:\n type: boolean\n chapAuthSession:\n type: boolean\n fsType:\n type: string\n initiatorName:\n type: string\n iqn:\n type: string\n iscsiInterface:\n type: string\n lun:\n format: int32\n type: integer\n portals:\n items:\n type: string\n type: array\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n targetPortal:\n type: string\n required:\n - iqn\n - lun\n - targetPortal\n type: object\n name:\n type: string\n nfs:\n properties:\n path:\n type: string\n readOnly:\n type: boolean\n server:\n type: string\n required:\n - path\n - server\n type: object\n persistentVolumeClaim:\n properties:\n claimName:\n type: string\n readOnly:\n type: boolean\n required:\n - claimName\n type: object\n photonPersistentDisk:\n properties:\n fsType:\n type: string\n pdID:\n type: string\n required:\n - pdID\n type: object\n portworxVolume:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n projected:\n properties:\n defaultMode:\n format: int32\n type: integer\n sources:\n items:\n properties:\n configMap:\n properties:\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n downwardAPI:\n properties:\n items:\n items:\n properties:\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n mode:\n format: int32\n type: integer\n path:\n type: string\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n secret:\n properties:\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n serviceAccountToken:\n properties:\n audience:\n type: string\n expirationSeconds:\n format: int64\n type: integer\n path:\n type: string\n required:\n - path\n type: object\n type: object\n type: array\n required:\n - sources\n type: object\n quobyte:\n properties:\n group:\n type: string\n readOnly:\n type: boolean\n registry:\n type: string\n tenant:\n type: string\n user:\n type: string\n volume:\n type: string\n required:\n - registry\n - volume\n type: object\n rbd:\n properties:\n fsType:\n type: string\n image:\n type: string\n keyring:\n type: string\n monitors:\n items:\n type: string\n type: array\n pool:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n user:\n type: string\n required:\n - image\n - monitors\n type: object\n scaleIO:\n properties:\n fsType:\n type: string\n gateway:\n type: string\n protectionDomain:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n sslEnabled:\n type: boolean\n storageMode:\n type: string\n storagePool:\n type: string\n system:\n type: string\n volumeName:\n type: string\n required:\n - gateway\n - secretRef\n - system\n type: object\n secret:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n optional:\n type: boolean\n secretName:\n type: string\n type: object\n storageos:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n volumeName:\n type: string\n volumeNamespace:\n type: string\n type: object\n vsphereVolume:\n properties:\n fsType:\n type: string\n storagePolicyID:\n type: string\n storagePolicyName:\n type: string\n volumePath:\n type: string\n required:\n - volumePath\n type: object\n required:\n - name\n type: object\n type: array\n type: object\n predictor:\n properties:\n activeDeadlineSeconds:\n format: int64\n type: integer\n affinity:\n properties:\n nodeAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n preference:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n properties:\n nodeSelectorTerms:\n items:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n podAffinityTerm:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n weight:\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n podAffinityTerm:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n weight:\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n automountServiceAccountToken:\n type: boolean\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n canaryTrafficPercent:\n format: int64\n type: integer\n containerConcurrency:\n format: int64\n type: integer\n containers:\n items:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n type: array\n dnsConfig:\n properties:\n nameservers:\n items:\n type: string\n type: array\n options:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n type: object\n type: array\n searches:\n items:\n type: string\n type: array\n type: object\n dnsPolicy:\n type: string\n enableServiceLinks:\n type: boolean\n hostAliases:\n items:\n properties:\n hostnames:\n items:\n type: string\n type: array\n ip:\n type: string\n type: object\n type: array\n hostIPC:\n type: boolean\n hostNetwork:\n type: boolean\n hostPID:\n type: boolean\n hostname:\n type: string\n imagePullSecrets:\n items:\n properties:\n name:\n type: string\n type: object\n type: array\n lightgbm:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n logger:\n properties:\n mode:\n enum:\n - all\n - request\n - response\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n nodeName:\n type: string\n nodeSelector:\n additionalProperties:\n type: string\n type: object\n onnx:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n overhead:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n pmml:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n preemptionPolicy:\n type: string\n priority:\n format: int32\n type: integer\n priorityClassName:\n type: string\n pytorch:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n modelClassName:\n type: string\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n readinessGates:\n items:\n properties:\n conditionType:\n type: string\n required:\n - conditionType\n type: object\n type: array\n restartPolicy:\n type: string\n runtimeClassName:\n type: string\n schedulerName:\n type: string\n securityContext:\n properties:\n fsGroup:\n format: int64\n type: integer\n fsGroupChangePolicy:\n type: string\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n supplementalGroups:\n items:\n format: int64\n type: integer\n type: array\n sysctls:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n serviceAccount:\n type: string\n serviceAccountName:\n type: string\n setHostnameAsFQDN:\n type: boolean\n shareProcessNamespace:\n type: boolean\n sklearn:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n subdomain:\n type: string\n tensorflow:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n terminationGracePeriodSeconds:\n format: int64\n type: integer\n timeout:\n format: int64\n type: integer\n tolerations:\n items:\n properties:\n effect:\n type: string\n key:\n type: string\n operator:\n type: string\n tolerationSeconds:\n format: int64\n type: integer\n value:\n type: string\n type: object\n type: array\n topologySpreadConstraints:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n maxSkew:\n format: int32\n type: integer\n topologyKey:\n type: string\n whenUnsatisfiable:\n type: string\n required:\n - maxSkew\n - topologyKey\n - whenUnsatisfiable\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - topologyKey\n - whenUnsatisfiable\n x-kubernetes-list-type: map\n triton:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n volumes:\n items:\n properties:\n awsElasticBlockStore:\n properties:\n fsType:\n type: string\n partition:\n format: int32\n type: integer\n readOnly:\n type: boolean\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n azureDisk:\n properties:\n cachingMode:\n type: string\n diskName:\n type: string\n diskURI:\n type: string\n fsType:\n type: string\n kind:\n type: string\n readOnly:\n type: boolean\n required:\n - diskName\n - diskURI\n type: object\n azureFile:\n properties:\n readOnly:\n type: boolean\n secretName:\n type: string\n shareName:\n type: string\n required:\n - secretName\n - shareName\n type: object\n cephfs:\n properties:\n monitors:\n items:\n type: string\n type: array\n path:\n type: string\n readOnly:\n type: boolean\n secretFile:\n type: string\n secretRef:\n properties:\n name:\n type: string\n type: object\n user:\n type: string\n required:\n - monitors\n type: object\n cinder:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n configMap:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n csi:\n properties:\n driver:\n type: string\n fsType:\n type: string\n nodePublishSecretRef:\n properties:\n name:\n type: string\n type: object\n readOnly:\n type: boolean\n volumeAttributes:\n additionalProperties:\n type: string\n type: object\n required:\n - driver\n type: object\n downwardAPI:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n mode:\n format: int32\n type: integer\n path:\n type: string\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n emptyDir:\n properties:\n medium:\n type: string\n sizeLimit:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n ephemeral:\n properties:\n readOnly:\n type: boolean\n volumeClaimTemplate:\n properties:\n metadata:\n type: object\n spec:\n properties:\n accessModes:\n items:\n type: string\n type: array\n dataSource:\n properties:\n apiGroup:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - kind\n - name\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n selector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n storageClassName:\n type: string\n volumeMode:\n type: string\n volumeName:\n type: string\n type: object\n required:\n - spec\n type: object\n type: object\n fc:\n properties:\n fsType:\n type: string\n lun:\n format: int32\n type: integer\n readOnly:\n type: boolean\n targetWWNs:\n items:\n type: string\n type: array\n wwids:\n items:\n type: string\n type: array\n type: object\n flexVolume:\n properties:\n driver:\n type: string\n fsType:\n type: string\n options:\n additionalProperties:\n type: string\n type: object\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n required:\n - driver\n type: object\n flocker:\n properties:\n datasetName:\n type: string\n datasetUUID:\n type: string\n type: object\n gcePersistentDisk:\n properties:\n fsType:\n type: string\n partition:\n format: int32\n type: integer\n pdName:\n type: string\n readOnly:\n type: boolean\n required:\n - pdName\n type: object\n gitRepo:\n properties:\n directory:\n type: string\n repository:\n type: string\n revision:\n type: string\n required:\n - repository\n type: object\n glusterfs:\n properties:\n endpoints:\n type: string\n path:\n type: string\n readOnly:\n type: boolean\n required:\n - endpoints\n - path\n type: object\n hostPath:\n properties:\n path:\n type: string\n type:\n type: string\n required:\n - path\n type: object\n iscsi:\n properties:\n chapAuthDiscovery:\n type: boolean\n chapAuthSession:\n type: boolean\n fsType:\n type: string\n initiatorName:\n type: string\n iqn:\n type: string\n iscsiInterface:\n type: string\n lun:\n format: int32\n type: integer\n portals:\n items:\n type: string\n type: array\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n targetPortal:\n type: string\n required:\n - iqn\n - lun\n - targetPortal\n type: object\n name:\n type: string\n nfs:\n properties:\n path:\n type: string\n readOnly:\n type: boolean\n server:\n type: string\n required:\n - path\n - server\n type: object\n persistentVolumeClaim:\n properties:\n claimName:\n type: string\n readOnly:\n type: boolean\n required:\n - claimName\n type: object\n photonPersistentDisk:\n properties:\n fsType:\n type: string\n pdID:\n type: string\n required:\n - pdID\n type: object\n portworxVolume:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n projected:\n properties:\n defaultMode:\n format: int32\n type: integer\n sources:\n items:\n properties:\n configMap:\n properties:\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n downwardAPI:\n properties:\n items:\n items:\n properties:\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n mode:\n format: int32\n type: integer\n path:\n type: string\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n secret:\n properties:\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n serviceAccountToken:\n properties:\n audience:\n type: string\n expirationSeconds:\n format: int64\n type: integer\n path:\n type: string\n required:\n - path\n type: object\n type: object\n type: array\n required:\n - sources\n type: object\n quobyte:\n properties:\n group:\n type: string\n readOnly:\n type: boolean\n registry:\n type: string\n tenant:\n type: string\n user:\n type: string\n volume:\n type: string\n required:\n - registry\n - volume\n type: object\n rbd:\n properties:\n fsType:\n type: string\n image:\n type: string\n keyring:\n type: string\n monitors:\n items:\n type: string\n type: array\n pool:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n user:\n type: string\n required:\n - image\n - monitors\n type: object\n scaleIO:\n properties:\n fsType:\n type: string\n gateway:\n type: string\n protectionDomain:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n sslEnabled:\n type: boolean\n storageMode:\n type: string\n storagePool:\n type: string\n system:\n type: string\n volumeName:\n type: string\n required:\n - gateway\n - secretRef\n - system\n type: object\n secret:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n optional:\n type: boolean\n secretName:\n type: string\n type: object\n storageos:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n volumeName:\n type: string\n volumeNamespace:\n type: string\n type: object\n vsphereVolume:\n properties:\n fsType:\n type: string\n storagePolicyID:\n type: string\n storagePolicyName:\n type: string\n volumePath:\n type: string\n required:\n - volumePath\n type: object\n required:\n - name\n type: object\n type: array\n xgboost:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n protocolVersion:\n type: string\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n runtimeVersion:\n type: string\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n storageUri:\n type: string\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n type: object\n type: object\n transformer:\n properties:\n activeDeadlineSeconds:\n format: int64\n type: integer\n affinity:\n properties:\n nodeAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n preference:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n properties:\n nodeSelectorTerms:\n items:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n podAffinityTerm:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n weight:\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n podAffinityTerm:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n weight:\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n namespaces:\n items:\n type: string\n type: array\n topologyKey:\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n automountServiceAccountToken:\n type: boolean\n batcher:\n properties:\n maxBatchSize:\n type: integer\n maxLatency:\n type: integer\n timeout:\n type: integer\n type: object\n canaryTrafficPercent:\n format: int64\n type: integer\n containerConcurrency:\n format: int64\n type: integer\n containers:\n items:\n properties:\n args:\n items:\n type: string\n type: array\n command:\n items:\n type: string\n type: array\n env:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n valueFrom:\n properties:\n configMapKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n properties:\n key:\n type: string\n name:\n type: string\n optional:\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n items:\n properties:\n configMapRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n prefix:\n type: string\n secretRef:\n properties:\n name:\n type: string\n optional:\n type: boolean\n type: object\n type: object\n type: array\n image:\n type: string\n imagePullPolicy:\n type: string\n lifecycle:\n properties:\n postStart:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n preStop:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n name:\n type: string\n ports:\n items:\n properties:\n containerPort:\n format: int32\n type: integer\n hostIP:\n type: string\n hostPort:\n format: int32\n type: integer\n name:\n type: string\n protocol:\n type: string\n required:\n - containerPort\n - protocol\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - containerPort\n - protocol\n x-kubernetes-list-type: map\n readinessProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n securityContext:\n properties:\n allowPrivilegeEscalation:\n type: boolean\n capabilities:\n properties:\n add:\n items:\n type: string\n type: array\n drop:\n items:\n type: string\n type: array\n type: object\n privileged:\n type: boolean\n procMount:\n type: string\n readOnlyRootFilesystem:\n type: boolean\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n startupProbe:\n properties:\n exec:\n properties:\n command:\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n format: int32\n type: integer\n httpGet:\n properties:\n host:\n type: string\n httpHeaders:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n scheme:\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n format: int32\n type: integer\n periodSeconds:\n format: int32\n type: integer\n successThreshold:\n format: int32\n type: integer\n tcpSocket:\n properties:\n host:\n type: string\n port:\n anyOf:\n - type: integer\n - type: string\n x-kubernetes-int-or-string: true\n required:\n - port\n type: object\n timeoutSeconds:\n format: int32\n type: integer\n type: object\n stdin:\n type: boolean\n stdinOnce:\n type: boolean\n terminationMessagePath:\n type: string\n terminationMessagePolicy:\n type: string\n tty:\n type: boolean\n volumeDevices:\n items:\n properties:\n devicePath:\n type: string\n name:\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n items:\n properties:\n mountPath:\n type: string\n mountPropagation:\n type: string\n name:\n type: string\n readOnly:\n type: boolean\n subPath:\n type: string\n subPathExpr:\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n type: string\n required:\n - name\n type: object\n type: array\n dnsConfig:\n properties:\n nameservers:\n items:\n type: string\n type: array\n options:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n type: object\n type: array\n searches:\n items:\n type: string\n type: array\n type: object\n dnsPolicy:\n type: string\n enableServiceLinks:\n type: boolean\n hostAliases:\n items:\n properties:\n hostnames:\n items:\n type: string\n type: array\n ip:\n type: string\n type: object\n type: array\n hostIPC:\n type: boolean\n hostNetwork:\n type: boolean\n hostPID:\n type: boolean\n hostname:\n type: string\n imagePullSecrets:\n items:\n properties:\n name:\n type: string\n type: object\n type: array\n logger:\n properties:\n mode:\n enum:\n - all\n - request\n - response\n type: string\n url:\n type: string\n type: object\n maxReplicas:\n type: integer\n minReplicas:\n type: integer\n nodeName:\n type: string\n nodeSelector:\n additionalProperties:\n type: string\n type: object\n overhead:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n preemptionPolicy:\n type: string\n priority:\n format: int32\n type: integer\n priorityClassName:\n type: string\n readinessGates:\n items:\n properties:\n conditionType:\n type: string\n required:\n - conditionType\n type: object\n type: array\n restartPolicy:\n type: string\n runtimeClassName:\n type: string\n schedulerName:\n type: string\n securityContext:\n properties:\n fsGroup:\n format: int64\n type: integer\n fsGroupChangePolicy:\n type: string\n runAsGroup:\n format: int64\n type: integer\n runAsNonRoot:\n type: boolean\n runAsUser:\n format: int64\n type: integer\n seLinuxOptions:\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n type: object\n seccompProfile:\n properties:\n localhostProfile:\n type: string\n type:\n type: string\n required:\n - type\n type: object\n supplementalGroups:\n items:\n format: int64\n type: integer\n type: array\n sysctls:\n items:\n properties:\n name:\n type: string\n value:\n type: string\n required:\n - name\n - value\n type: object\n type: array\n windowsOptions:\n properties:\n gmsaCredentialSpec:\n type: string\n gmsaCredentialSpecName:\n type: string\n runAsUserName:\n type: string\n type: object\n type: object\n serviceAccount:\n type: string\n serviceAccountName:\n type: string\n setHostnameAsFQDN:\n type: boolean\n shareProcessNamespace:\n type: boolean\n subdomain:\n type: string\n terminationGracePeriodSeconds:\n format: int64\n type: integer\n timeout:\n format: int64\n type: integer\n tolerations:\n items:\n properties:\n effect:\n type: string\n key:\n type: string\n operator:\n type: string\n tolerationSeconds:\n format: int64\n type: integer\n value:\n type: string\n type: object\n type: array\n topologySpreadConstraints:\n items:\n properties:\n labelSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n maxSkew:\n format: int32\n type: integer\n topologyKey:\n type: string\n whenUnsatisfiable:\n type: string\n required:\n - maxSkew\n - topologyKey\n - whenUnsatisfiable\n type: object\n type: array\n x-kubernetes-list-map-keys:\n - topologyKey\n - whenUnsatisfiable\n x-kubernetes-list-type: map\n volumes:\n items:\n properties:\n awsElasticBlockStore:\n properties:\n fsType:\n type: string\n partition:\n format: int32\n type: integer\n readOnly:\n type: boolean\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n azureDisk:\n properties:\n cachingMode:\n type: string\n diskName:\n type: string\n diskURI:\n type: string\n fsType:\n type: string\n kind:\n type: string\n readOnly:\n type: boolean\n required:\n - diskName\n - diskURI\n type: object\n azureFile:\n properties:\n readOnly:\n type: boolean\n secretName:\n type: string\n shareName:\n type: string\n required:\n - secretName\n - shareName\n type: object\n cephfs:\n properties:\n monitors:\n items:\n type: string\n type: array\n path:\n type: string\n readOnly:\n type: boolean\n secretFile:\n type: string\n secretRef:\n properties:\n name:\n type: string\n type: object\n user:\n type: string\n required:\n - monitors\n type: object\n cinder:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n configMap:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n csi:\n properties:\n driver:\n type: string\n fsType:\n type: string\n nodePublishSecretRef:\n properties:\n name:\n type: string\n type: object\n readOnly:\n type: boolean\n volumeAttributes:\n additionalProperties:\n type: string\n type: object\n required:\n - driver\n type: object\n downwardAPI:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n mode:\n format: int32\n type: integer\n path:\n type: string\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n emptyDir:\n properties:\n medium:\n type: string\n sizeLimit:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n ephemeral:\n properties:\n readOnly:\n type: boolean\n volumeClaimTemplate:\n properties:\n metadata:\n type: object\n spec:\n properties:\n accessModes:\n items:\n type: string\n type: array\n dataSource:\n properties:\n apiGroup:\n type: string\n kind:\n type: string\n name:\n type: string\n required:\n - kind\n - name\n type: object\n resources:\n properties:\n limits:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n requests:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n type: object\n type: object\n selector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n storageClassName:\n type: string\n volumeMode:\n type: string\n volumeName:\n type: string\n type: object\n required:\n - spec\n type: object\n type: object\n fc:\n properties:\n fsType:\n type: string\n lun:\n format: int32\n type: integer\n readOnly:\n type: boolean\n targetWWNs:\n items:\n type: string\n type: array\n wwids:\n items:\n type: string\n type: array\n type: object\n flexVolume:\n properties:\n driver:\n type: string\n fsType:\n type: string\n options:\n additionalProperties:\n type: string\n type: object\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n required:\n - driver\n type: object\n flocker:\n properties:\n datasetName:\n type: string\n datasetUUID:\n type: string\n type: object\n gcePersistentDisk:\n properties:\n fsType:\n type: string\n partition:\n format: int32\n type: integer\n pdName:\n type: string\n readOnly:\n type: boolean\n required:\n - pdName\n type: object\n gitRepo:\n properties:\n directory:\n type: string\n repository:\n type: string\n revision:\n type: string\n required:\n - repository\n type: object\n glusterfs:\n properties:\n endpoints:\n type: string\n path:\n type: string\n readOnly:\n type: boolean\n required:\n - endpoints\n - path\n type: object\n hostPath:\n properties:\n path:\n type: string\n type:\n type: string\n required:\n - path\n type: object\n iscsi:\n properties:\n chapAuthDiscovery:\n type: boolean\n chapAuthSession:\n type: boolean\n fsType:\n type: string\n initiatorName:\n type: string\n iqn:\n type: string\n iscsiInterface:\n type: string\n lun:\n format: int32\n type: integer\n portals:\n items:\n type: string\n type: array\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n targetPortal:\n type: string\n required:\n - iqn\n - lun\n - targetPortal\n type: object\n name:\n type: string\n nfs:\n properties:\n path:\n type: string\n readOnly:\n type: boolean\n server:\n type: string\n required:\n - path\n - server\n type: object\n persistentVolumeClaim:\n properties:\n claimName:\n type: string\n readOnly:\n type: boolean\n required:\n - claimName\n type: object\n photonPersistentDisk:\n properties:\n fsType:\n type: string\n pdID:\n type: string\n required:\n - pdID\n type: object\n portworxVolume:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n volumeID:\n type: string\n required:\n - volumeID\n type: object\n projected:\n properties:\n defaultMode:\n format: int32\n type: integer\n sources:\n items:\n properties:\n configMap:\n properties:\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n downwardAPI:\n properties:\n items:\n items:\n properties:\n fieldRef:\n properties:\n apiVersion:\n type: string\n fieldPath:\n type: string\n required:\n - fieldPath\n type: object\n mode:\n format: int32\n type: integer\n path:\n type: string\n resourceFieldRef:\n properties:\n containerName:\n type: string\n divisor:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n resource:\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n secret:\n properties:\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n type: string\n optional:\n type: boolean\n type: object\n serviceAccountToken:\n properties:\n audience:\n type: string\n expirationSeconds:\n format: int64\n type: integer\n path:\n type: string\n required:\n - path\n type: object\n type: object\n type: array\n required:\n - sources\n type: object\n quobyte:\n properties:\n group:\n type: string\n readOnly:\n type: boolean\n registry:\n type: string\n tenant:\n type: string\n user:\n type: string\n volume:\n type: string\n required:\n - registry\n - volume\n type: object\n rbd:\n properties:\n fsType:\n type: string\n image:\n type: string\n keyring:\n type: string\n monitors:\n items:\n type: string\n type: array\n pool:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n user:\n type: string\n required:\n - image\n - monitors\n type: object\n scaleIO:\n properties:\n fsType:\n type: string\n gateway:\n type: string\n protectionDomain:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n sslEnabled:\n type: boolean\n storageMode:\n type: string\n storagePool:\n type: string\n system:\n type: string\n volumeName:\n type: string\n required:\n - gateway\n - secretRef\n - system\n type: object\n secret:\n properties:\n defaultMode:\n format: int32\n type: integer\n items:\n items:\n properties:\n key:\n type: string\n mode:\n format: int32\n type: integer\n path:\n type: string\n required:\n - key\n - path\n type: object\n type: array\n optional:\n type: boolean\n secretName:\n type: string\n type: object\n storageos:\n properties:\n fsType:\n type: string\n readOnly:\n type: boolean\n secretRef:\n properties:\n name:\n type: string\n type: object\n volumeName:\n type: string\n volumeNamespace:\n type: string\n type: object\n vsphereVolume:\n properties:\n fsType:\n type: string\n storagePolicyID:\n type: string\n storagePolicyName:\n type: string\n volumePath:\n type: string\n required:\n - volumePath\n type: object\n required:\n - name\n type: object\n type: array\n type: object\n required:\n - predictor\n type: object\n status:\n properties:\n address:\n properties:\n url:\n type: string\n type: object\n annotations:\n additionalProperties:\n type: string\n type: object\n components:\n additionalProperties:\n properties:\n address:\n properties:\n url:\n type: string\n type: object\n latestCreatedRevision:\n type: string\n latestReadyRevision:\n type: string\n latestRolledoutRevision:\n type: string\n previousRolledoutRevision:\n type: string\n traffic:\n items:\n properties:\n configurationName:\n type: string\n latestRevision:\n type: boolean\n percent:\n format: int64\n type: integer\n revisionName:\n type: string\n tag:\n type: string\n url:\n type: string\n type: object\n type: array\n url:\n type: string\n type: object\n type: object\n conditions:\n items:\n properties:\n lastTransitionTime:\n type: string\n message:\n type: string\n reason:\n type: string\n severity:\n type: string\n status:\n type: string\n type:\n type: string\n required:\n - status\n - type\n type: object\n type: array\n observedGeneration:\n format: int64\n type: integer\n url:\n type: string\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: v0.3.1-0.20200528125929-5c0c6ae3b64b\n creationTimestamp: null\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: trainedmodels.serving.kubeflow.org\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.url\n name: URL\n type: string\n - JSONPath: .status.conditions[?(@.type=='Ready')].status\n name: Ready\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: serving.kubeflow.org\n names:\n kind: TrainedModel\n listKind: TrainedModelList\n plural: trainedmodels\n shortNames:\n - tm\n singular: trainedmodel\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n inferenceService:\n type: string\n model:\n properties:\n framework:\n type: string\n memory:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n storageUri:\n type: string\n required:\n - framework\n - memory\n - storageUri\n type: object\n required:\n - inferenceService\n - model\n type: object\n status:\n properties:\n address:\n properties:\n url:\n type: string\n type: object\n annotations:\n additionalProperties:\n type: string\n type: object\n conditions:\n items:\n properties:\n lastTransitionTime:\n type: string\n message:\n type: string\n reason:\n type: string\n severity:\n type: string\n status:\n type: string\n type:\n type: string\n required:\n - status\n - type\n type: object\n type: array\n observedGeneration:\n format: int64\n type: integer\n url:\n type: string\n type: object\n type: object\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: leader-election-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps/status\n verbs:\n - get\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n creationTimestamp: null\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-manager-role\nrules:\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - mutatingwebhookconfigurations\n - validatingwebhookconfigurations\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - create\n - get\n - list\n - update\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - \"\"\n resources:\n - namespaces\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - \"\"\n resources:\n - serviceaccounts\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - services\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - networking.istio.io\n resources:\n - virtualservices\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - networking.istio.io\n resources:\n - virtualservices/finalizers\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - networking.istio.io\n resources:\n - virtualservices/status\n verbs:\n - get\n - patch\n - update\n- apiGroups:\n - serving.knative.dev\n resources:\n - services\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - serving.knative.dev\n resources:\n - services/finalizers\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - serving.knative.dev\n resources:\n - services/status\n verbs:\n - get\n - patch\n - update\n- apiGroups:\n - serving.kubeflow.org\n resources:\n - inferenceservices\n - inferenceservices/finalizers\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - serving.kubeflow.org\n resources:\n - inferenceservices/status\n verbs:\n - get\n - patch\n - update\n- apiGroups:\n - serving.kubeflow.org\n resources:\n - trainedmodels\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - serving.kubeflow.org\n resources:\n - trainedmodels/status\n verbs:\n - get\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-proxy-role\nrules:\n- apiGroups:\n - authentication.k8s.io\n resources:\n - tokenreviews\n verbs:\n - create\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-kfserving-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: \"true\"\n name: kubeflow-kfserving-edit\nrules:\n- apiGroups:\n - serving.kubeflow.org\n resources:\n - inferenceservices\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-kfserving-view\nrules:\n- apiGroups:\n - serving.kubeflow.org\n resources:\n - inferenceservices\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: leader-election-rolebinding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: leader-election-role\nsubjects:\n- kind: ServiceAccount\n name: default\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-manager-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: kfserving-manager-role\nsubjects:\n- kind: ServiceAccount\n name: default\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-proxy-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: kfserving-proxy-role\nsubjects:\n- kind: ServiceAccount\n name: default\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n agent: |-\n {\n \"image\" : \"kfserving/agent:v0.5.1\",\n \"memoryRequest\": \"100Mi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"100m\",\n \"cpuLimit\": \"1\"\n }\n batcher: |-\n {\n \"image\" : \"kfserving/agent:v0.5.1\",\n \"memoryRequest\": \"1Gi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"1\",\n \"cpuLimit\": \"1\"\n }\n credentials: |-\n {\n \"gcs\": {\n \"gcsCredentialFileName\": \"gcloud-application-credentials.json\"\n },\n \"s3\": {\n \"s3AccessKeyIDName\": \"AWS_ACCESS_KEY_ID\",\n \"s3SecretAccessKeyName\": \"AWS_SECRET_ACCESS_KEY\"\n }\n }\n explainers: |-\n {\n \"alibi\": {\n \"image\" : \"kfserving/alibi-explainer\",\n \"defaultImageVersion\": \"v0.5.1\"\n },\n \"aix\": {\n \"image\" : \"kfserving/aix-explainer\",\n \"defaultImageVersion\": \"v0.5.1\"\n },\n \"art\": {\n \"image\" : \"kfserving/art-explainer\",\n \"defaultImageVersion\": \"v0.5.1\"\n }\n }\n ingress: |-\n {\n \"ingressGateway\" : \"kubeflow-gateway.kubeflow\",\n \"ingressService\" : \"istio-ingressgateway.istio-system.svc.cluster.local\",\n \"localGateway\" : \"cluster-local-gateway.knative-serving\",\n \"localGatewayService\" : \"cluster-local-gateway.istio-system.svc.cluster.local\"\n }\n logger: |-\n {\n \"image\" : \"kfserving/agent:v0.5.1\",\n \"memoryRequest\": \"100Mi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"100m\",\n \"cpuLimit\": \"1\",\n \"defaultUrl\": \"http://default-broker\"\n }\n predictors: |-\n {\n \"tensorflow\": {\n \"image\": \"tensorflow/serving\",\n \"defaultImageVersion\": \"1.14.0\",\n \"defaultGpuImageVersion\": \"1.14.0-gpu\",\n \"defaultTimeout\": \"60\",\n \"supportedFrameworks\": [\n \"tensorflow\"\n ],\n \"multiModelServer\": false\n },\n \"onnx\": {\n \"image\": \"mcr.microsoft.com/onnxruntime/server\",\n \"defaultImageVersion\": \"v1.0.0\",\n \"supportedFrameworks\": [\n \"onnx\"\n ],\n \"multiModelServer\": false\n },\n \"sklearn\": {\n \"v1\": {\n \"image\": \"gcr.io/kfserving/sklearnserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"sklearn\"\n ],\n \"multiModelServer\": false\n },\n \"v2\": {\n \"image\": \"docker.io/seldonio/mlserver\",\n \"defaultImageVersion\": \"0.2.1\",\n \"supportedFrameworks\": [\n \"sklearn\"\n ],\n \"multiModelServer\": false\n }\n },\n \"xgboost\": {\n \"v1\": {\n \"image\": \"gcr.io/kfserving/xgbserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"xgboost\"\n ],\n \"multiModelServer\": false\n },\n \"v2\": {\n \"image\": \"docker.io/seldonio/mlserver\",\n \"defaultImageVersion\": \"0.2.1\",\n \"supportedFrameworks\": [\n \"xgboost\"\n ],\n \"multiModelServer\": false\n }\n },\n \"pytorch\": {\n \"v1\" : {\n \"image\": \"gcr.io/kfserving/pytorchserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"defaultGpuImageVersion\": \"v0.5.1-gpu\",\n \"supportedFrameworks\": [\n \"pytorch\"\n ],\n \"multiModelServer\": false\n },\n \"v2\" : {\n \"image\": \"kfserving/torchserve-kfs\",\n \"defaultImageVersion\": \"0.3.0\",\n \"defaultGpuImageVersion\": \"0.3.0-gpu\",\n \"supportedFrameworks\": [\n \"pytorch\"\n ],\n \"multiModelServer\": false\n }\n },\n \"triton\": {\n \"image\": \"nvcr.io/nvidia/tritonserver\",\n \"defaultImageVersion\": \"20.08-py3\",\n \"supportedFrameworks\": [\n \"tensorrt\",\n \"tensorflow\",\n \"onnx\",\n \"pytorch\",\n \"caffe2\"\n ],\n \"multiModelServer\": false\n },\n \"pmml\": {\n \"image\": \"kfserving/pmmlserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"pmml\"\n ],\n \"multiModelServer\": false\n },\n \"lightgbm\": {\n \"image\": \"kfserving/lgbserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"lightgbm\"\n ],\n \"multiModelServer\": false\n }\n }\n storageInitializer: |-\n {\n \"image\" : \"gcr.io/kfserving/storage-initializer:v0.5.1\",\n \"memoryRequest\": \"100Mi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"100m\",\n \"cpuLimit\": \"1\"\n }\n transformers: |-\n {\n }\nkind: ConfigMap\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: inferenceservice-config\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n ingressGateway: '\"kubeflow-gateway.kubeflow\",'\nkind: ConfigMap\nmetadata:\n annotations: {}\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-config\n namespace: kubeflow\n---\napiVersion: v1\nkind: Secret\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-webhook-server-secret\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n annotations:\n prometheus.io/port: \"8443\"\n prometheus.io/scheme: https\n prometheus.io/scrape: \"true\"\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n name: kfserving-controller-manager-metrics-service\n namespace: kubeflow\nspec:\n ports:\n - name: https\n port: 8443\n targetPort: https\n selector:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n name: kfserving-controller-manager-service\n namespace: kubeflow\nspec:\n ports:\n - port: 443\n selector:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: kfserving-webhook-server-service\n namespace: kubeflow\nspec:\n ports:\n - port: 443\n targetPort: webhook-server\n selector:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n kustomize.component: kfserving\n---\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n name: kfserving-controller-manager\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n serviceName: controller-manager-service\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n control-plane: kfserving-controller-manager\n controller-tools.k8s.io: \"1.0\"\n kustomize.component: kfserving\n spec:\n containers:\n - args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=10\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubebuilder-kube-rbac-proxy:v0.4.0-83234\n name: kube-rbac-proxy\n ports:\n - containerPort: 8443\n name: https\n - args:\n - --metrics-addr=127.0.0.1:8080\n command:\n - /manager\n env:\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: SECRET_NAME\n value: kfserving-webhook-server-cert\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kfserving-kfserving-controller:v0.5.1-8dc63\n imagePullPolicy: Always\n name: manager\n ports:\n - containerPort: 9443\n name: webhook-server\n protocol: TCP\n resources:\n limits:\n cpu: 100m\n memory: 300Mi\n requests:\n cpu: 100m\n memory: 200Mi\n volumeMounts:\n - mountPath: /tmp/k8s-webhook-server/serving-certs\n name: cert\n readOnly: true\n terminationGracePeriodSeconds: 10\n volumes:\n - name: cert\n secret:\n defaultMode: 420\n secretName: kfserving-webhook-server-cert\n---\napiVersion: cert-manager.io/v1alpha2\nkind: Certificate\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: serving-cert\n namespace: kubeflow\nspec:\n commonName: kfserving-webhook-server-service.kubeflow.svc\n dnsNames:\n - kfserving-webhook-server-service.kubeflow.svc\n issuerRef:\n kind: Issuer\n name: selfsigned-issuer\n secretName: kfserving-webhook-server-cert\n---\napiVersion: cert-manager.io/v1alpha2\nkind: Issuer\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: selfsigned-issuer\n namespace: kubeflow\nspec:\n selfSigned: {}\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/serving-cert\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: inferenceservice.serving.kubeflow.org\nwebhooks:\n- clientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /mutate-serving-kubeflow-org-v1alpha2-inferenceservice\n failurePolicy: Fail\n name: inferenceservice.kfserving-webhook-server.defaulter\n rules:\n - apiGroups:\n - serving.kubeflow.org\n apiVersions:\n - v1alpha2\n operations:\n - CREATE\n - UPDATE\n resources:\n - inferenceservices\n- clientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /mutate-serving-kubeflow-org-v1beta1-inferenceservice\n failurePolicy: Fail\n name: inferenceservice.kfserving-webhook-server.v1beta1.defaulter\n rules:\n - apiGroups:\n - serving.kubeflow.org\n apiVersions:\n - v1beta1\n operations:\n - CREATE\n - UPDATE\n resources:\n - inferenceservices\n- clientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /mutate-pods\n failurePolicy: Fail\n name: inferenceservice.kfserving-webhook-server.pod-mutator\n namespaceSelector:\n matchExpressions:\n - key: control-plane\n operator: DoesNotExist\n objectSelector:\n matchExpressions:\n - key: serving.kubeflow.org/inferenceservice\n operator: Exists\n rules:\n - apiGroups:\n - \"\"\n apiVersions:\n - v1\n operations:\n - CREATE\n - UPDATE\n resources:\n - pods\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/serving-cert\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: inferenceservice.serving.kubeflow.org\nwebhooks:\n- clientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /validate-serving-kubeflow-org-v1alpha2-inferenceservice\n failurePolicy: Fail\n name: inferenceservice.kfserving-webhook-server.validator\n rules:\n - apiGroups:\n - serving.kubeflow.org\n apiVersions:\n - v1alpha2\n operations:\n - CREATE\n - UPDATE\n resources:\n - inferenceservices\n- clientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /validate-serving-kubeflow-org-v1beta1-inferenceservice\n failurePolicy: Fail\n name: inferenceservice.kfserving-webhook-server.v1beta1.validator\n rules:\n - apiGroups:\n - serving.kubeflow.org\n apiVersions:\n - v1beta1\n operations:\n - CREATE\n - UPDATE\n resources:\n - inferenceservices\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/serving-cert\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: trainedmodel.serving.kubeflow.org\nwebhooks:\n- clientConfig:\n caBundle: Cg==\n service:\n name: kfserving-webhook-server-service\n namespace: kubeflow\n path: /validate-serving-kubeflow-org-v1alpha1-trainedmodel\n failurePolicy: Fail\n name: trainedmodel.kfserving-webhook-server.validator\n rules:\n - apiGroups:\n - serving.kubeflow.org\n apiVersions:\n - v1alpha1\n operations:\n - CREATE\n - UPDATE\n resources:\n - trainedmodels\n"
},
{
"path": "manifest1.3/019-katib-installs-katib-with-kubeflow-cert-manager.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: experiments.kubeflow.org\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[-1:].type\n name: Type\n type: string\n - JSONPath: .status.conditions[-1:].status\n name: Status\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: kubeflow.org\n names:\n categories:\n - all\n - kubeflow\n - katib\n kind: Experiment\n plural: experiments\n singular: experiment\n scope: Namespaced\n subresources:\n status: {}\n version: v1beta1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: suggestions.kubeflow.org\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[-1:].type\n name: Type\n type: string\n - JSONPath: .status.conditions[-1:].status\n name: Status\n type: string\n - JSONPath: .spec.requests\n name: Requested\n type: string\n - JSONPath: .status.suggestionCount\n name: Assigned\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: kubeflow.org\n names:\n categories:\n - all\n - kubeflow\n - katib\n kind: Suggestion\n plural: suggestions\n singular: suggestion\n scope: Namespaced\n subresources:\n status: {}\n version: v1beta1\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: trials.kubeflow.org\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[-1:].type\n name: Type\n type: string\n - JSONPath: .status.conditions[-1:].status\n name: Status\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: kubeflow.org\n names:\n categories:\n - all\n - kubeflow\n - katib\n kind: Trial\n plural: trials\n singular: trial\n scope: Namespaced\n subresources:\n status: {}\n version: v1beta1\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: katib-controller\n namespace: kubeflow\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: katib-ui\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: katib-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - serviceaccounts\n - services\n - events\n - namespaces\n - persistentvolumes\n - persistentvolumeclaims\n - pods\n - pods/log\n - pods/status\n verbs:\n - '*'\n- apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - '*'\n- apiGroups:\n - rbac.authorization.k8s.io\n resources:\n - roles\n - rolebindings\n verbs:\n - '*'\n- apiGroups:\n - batch\n resources:\n - jobs\n - cronjobs\n verbs:\n - '*'\n- apiGroups:\n - kubeflow.org\n resources:\n - experiments\n - experiments/status\n - experiments/finalizers\n - trials\n - trials/status\n - trials/finalizers\n - suggestions\n - suggestions/status\n - suggestions/finalizers\n - tfjobs\n - pytorchjobs\n - mpijobs\n verbs:\n - '*'\n- apiGroups:\n - tekton.dev\n resources:\n - pipelineruns\n - taskruns\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: katib-ui\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - namespaces\n verbs:\n - '*'\n- apiGroups:\n - kubeflow.org\n resources:\n - experiments\n - trials\n - suggestions\n verbs:\n - '*'\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-katib-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: \"true\"\n name: kubeflow-katib-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - experiments\n - trials\n - suggestions\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-katib-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - experiments\n - trials\n - suggestions\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: katib-controller\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: katib-controller\nsubjects:\n- kind: ServiceAccount\n name: katib-controller\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: katib-ui\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: katib-ui\nsubjects:\n- kind: ServiceAccount\n name: katib-ui\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n early-stopping: |-\n {\n \"medianstop\": {\n \"image\": \"docker.io/kubeflowkatib/earlystopping-medianstop:v0.11.0\"\n }\n }\n metrics-collector-sidecar: |-\n {\n \"StdOut\": {\n \"image\": \"docker.io/kubeflowkatib/file-metrics-collector:v0.11.0\"\n },\n \"File\": {\n \"image\": \"docker.io/kubeflowkatib/file-metrics-collector:v0.11.0\"\n },\n \"TensorFlowEvent\": {\n \"image\": \"docker.io/kubeflowkatib/tfevent-metrics-collector:v0.11.0\",\n \"resources\": {\n \"limits\": {\n \"memory\": \"1Gi\"\n }\n }\n }\n }\n suggestion: |-\n {\n \"random\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-hyperopt:v0.11.0\"\n },\n \"tpe\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-hyperopt:v0.11.0\"\n },\n \"grid\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-chocolate:v0.11.0\"\n },\n \"hyperband\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-hyperband:v0.11.0\"\n },\n \"bayesianoptimization\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-skopt:v0.11.0\"\n },\n \"cmaes\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-goptuna:v0.11.0\"\n },\n \"enas\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-enas:v0.11.0\",\n \"resources\": {\n \"limits\": {\n \"memory\": \"200Mi\"\n }\n }\n },\n \"darts\": {\n \"image\": \"docker.io/kubeflowkatib/suggestion-darts:v0.11.0\"\n }\n }\nkind: ConfigMap\nmetadata:\n name: katib-config\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n defaultTrialTemplate.yaml: |-\n apiVersion: batch/v1\n kind: Job\n spec:\n template:\n spec:\n containers:\n - name: training-container\n image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727\n command:\n - \"python3\"\n - \"/opt/mxnet-mnist/mnist.py\"\n - \"--batch-size=64\"\n - \"--lr=${trialParameters.learningRate}\"\n - \"--num-layers=${trialParameters.numberLayers}\"\n - \"--optimizer=${trialParameters.optimizer}\"\n restartPolicy: Never\n enasCPUTemplate: |-\n apiVersion: batch/v1\n kind: Job\n spec:\n template:\n spec:\n containers:\n - name: training-container\n image: docker.io/kubeflowkatib/enas-cnn-cifar10-cpu:v1beta1-45c5727\n command:\n - python3\n - -u\n - RunTrial.py\n - --num_epochs=1\n - \"--architecture=\\\"${trialParameters.neuralNetworkArchitecture}\\\"\"\n - \"--nn_config=\\\"${trialParameters.neuralNetworkConfig}\\\"\"\n restartPolicy: Never\n pytorchJobTemplate: |-\n apiVersion: \"kubeflow.org/v1\"\n kind: PyTorchJob\n spec:\n pytorchReplicaSpecs:\n Master:\n replicas: 1\n restartPolicy: OnFailure\n template:\n spec:\n containers:\n - name: pytorch\n image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727\n imagePullPolicy: Always\n command:\n - \"python3\"\n - \"/opt/pytorch-mnist/mnist.py\"\n - \"--epochs=1\"\n - \"--lr=${trialParameters.learningRate}\"\n - \"--momentum=${trialParameters.momentum}\"\n Worker:\n replicas: 2\n restartPolicy: OnFailure\n template:\n spec:\n containers:\n - name: pytorch\n image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727\n imagePullPolicy: Always\n command:\n - \"python3\"\n - \"/opt/pytorch-mnist/mnist.py\"\n - \"--epochs=1\"\n - \"--lr=${trialParameters.learningRate}\"\n - \"--momentum=${trialParameters.momentum}\"\nkind: ConfigMap\nmetadata:\n labels:\n app: katib-trial-templates\n name: trial-template\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n MYSQL_ROOT_PASSWORD: dGVzdA==\nkind: Secret\nmetadata:\n name: katib-mysql-secrets\n namespace: kubeflow\ntype: Opaque\n---\napiVersion: v1\nkind: Service\nmetadata:\n annotations:\n prometheus.io/port: \"8080\"\n prometheus.io/scheme: http\n prometheus.io/scrape: \"true\"\n name: katib-controller\n namespace: kubeflow\nspec:\n ports:\n - name: webhook\n port: 443\n protocol: TCP\n targetPort: 8443\n - name: metrics\n port: 8080\n targetPort: 8080\n selector:\n app: katib-controller\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: katib-db-manager\n name: katib-db-manager\n namespace: kubeflow\nspec:\n ports:\n - name: api\n port: 6789\n protocol: TCP\n selector:\n app: katib-db-manager\n type: ClusterIP\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: katib-mysql\n name: katib-mysql\n namespace: kubeflow\nspec:\n ports:\n - name: dbapi\n port: 3306\n protocol: TCP\n selector:\n app: katib-mysql\n type: ClusterIP\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: katib-ui\n name: katib-ui\n namespace: kubeflow\nspec:\n ports:\n - name: ui\n port: 80\n protocol: TCP\n targetPort: 8080\n selector:\n app: katib-ui\n type: ClusterIP\n---\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: katib-mysql\n namespace: kubeflow\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 10Gi\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: katib-controller\n name: katib-controller\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: katib-controller\n template:\n metadata:\n annotations:\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: katib-controller\n spec:\n containers:\n - args:\n - --webhook-port=8443\n - --trial-resources=Job.v1.batch\n - --trial-resources=TFJob.v1.kubeflow.org\n - --trial-resources=PyTorchJob.v1.kubeflow.org\n - --trial-resources=MPIJob.v1.kubeflow.org\n - --trial-resources=PipelineRun.v1beta1.tekton.dev\n command:\n - ./katib-controller\n env:\n - name: KATIB_CORE_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflowkatib-katib-controller:v0.11.0-8ba36\n name: katib-controller\n ports:\n - containerPort: 8443\n name: webhook\n protocol: TCP\n - containerPort: 8080\n name: metrics\n protocol: TCP\n resources:\n limits:\n cpu: \"1\"\n memory: 500Mi\n requests:\n cpu: 500m\n memory: 500Mi\n volumeMounts:\n - mountPath: /tmp/cert\n name: cert\n readOnly: true\n serviceAccountName: katib-controller\n volumes:\n - name: cert\n secret:\n defaultMode: 420\n secretName: katib-webhook-cert\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: katib-db-manager\n name: katib-db-manager\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: katib-db-manager\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: katib-db-manager\n spec:\n containers:\n - command:\n - ./katib-db-manager\n env:\n - name: DB_NAME\n value: mysql\n - name: DB_PASSWORD\n valueFrom:\n secretKeyRef:\n key: MYSQL_ROOT_PASSWORD\n name: katib-mysql-secrets\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflowkatib-katib-db-manager:v0.11.0-f54bf\n livenessProbe:\n exec:\n command:\n - /bin/grpc_health_probe\n - -addr=:6789\n failureThreshold: 5\n initialDelaySeconds: 10\n periodSeconds: 60\n name: katib-db-manager\n ports:\n - containerPort: 6789\n name: api\n readinessProbe:\n exec:\n command:\n - /bin/grpc_health_probe\n - -addr=:6789\n initialDelaySeconds: 5\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: katib-mysql\n name: katib-mysql\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: katib-mysql\n strategy:\n type: Recreate\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: katib-mysql\n spec:\n containers:\n - args:\n - --datadir\n - /var/lib/mysql/datadir\n env:\n - name: MYSQL_ROOT_PASSWORD\n valueFrom:\n secretKeyRef:\n key: MYSQL_ROOT_PASSWORD\n name: katib-mysql-secrets\n - name: MYSQL_ALLOW_EMPTY_PASSWORD\n value: \"true\"\n - name: MYSQL_DATABASE\n value: katib\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/mysql:8-0627e\n livenessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}\n initialDelaySeconds: 30\n periodSeconds: 10\n timeoutSeconds: 5\n name: katib-mysql\n ports:\n - containerPort: 3306\n name: dbapi\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - mysql -D ${MYSQL_DATABASE} -u root -p${MYSQL_ROOT_PASSWORD} -e 'SELECT 1'\n initialDelaySeconds: 5\n periodSeconds: 10\n timeoutSeconds: 1\n volumeMounts:\n - mountPath: /var/lib/mysql\n name: katib-mysql\n volumes:\n - name: katib-mysql\n persistentVolumeClaim:\n claimName: katib-mysql\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: katib-ui\n name: katib-ui\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: katib-ui\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: katib-ui\n spec:\n containers:\n - args:\n - --port=8080\n command:\n - ./katib-ui\n env:\n - name: KATIB_CORE_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflowkatib-katib-ui:v0.11.0-aaf82\n name: katib-ui\n ports:\n - containerPort: 8080\n name: ui\n serviceAccountName: katib-ui\n---\napiVersion: cert-manager.io/v1alpha2\nkind: Certificate\nmetadata:\n name: katib-webhook-cert\n namespace: kubeflow\nspec:\n commonName: katib-controller.kubeflow.svc\n dnsNames:\n - katib-controller.kubeflow.svc\n - katib-controller.kubeflow.svc.cluster.local\n isCA: true\n issuerRef:\n kind: Issuer\n name: katib-selfsigned-issuer\n secretName: katib-webhook-cert\n---\napiVersion: cert-manager.io/v1alpha2\nkind: Issuer\nmetadata:\n name: katib-selfsigned-issuer\n namespace: kubeflow\nspec:\n selfSigned: {}\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n name: katib-ui\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - match:\n - uri:\n prefix: /katib/\n rewrite:\n uri: /katib/\n route:\n - destination:\n host: katib-ui.kubeflow.svc.cluster.local\n port:\n number: 80\n---\napiVersion: admissionregistration.k8s.io/v1\nkind: MutatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/katib-webhook-cert\n name: katib.kubeflow.org\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n caBundle: Cg==\n service:\n name: katib-controller\n namespace: kubeflow\n path: /mutate-experiment\n failurePolicy: Ignore\n name: defaulter.experiment.katib.kubeflow.org\n rules:\n - apiGroups:\n - kubeflow.org\n apiVersions:\n - v1beta1\n operations:\n - CREATE\n - UPDATE\n resources:\n - experiments\n sideEffects: None\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n caBundle: Cg==\n service:\n name: katib-controller\n namespace: kubeflow\n path: /mutate-pod\n failurePolicy: Ignore\n name: mutator.pod.katib.kubeflow.org\n namespaceSelector:\n matchLabels:\n katib-metricscollector-injection: enabled\n rules:\n - apiGroups:\n - \"\"\n apiVersions:\n - v1\n operations:\n - CREATE\n resources:\n - pods\n sideEffects: None\n---\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/katib-webhook-cert\n name: katib.kubeflow.org\nwebhooks:\n- admissionReviewVersions:\n - v1beta1\n clientConfig:\n caBundle: Cg==\n service:\n name: katib-controller\n namespace: kubeflow\n path: /validate-experiment\n failurePolicy: Ignore\n name: validator.experiment.katib.kubeflow.org\n rules:\n - apiGroups:\n - kubeflow.org\n apiVersions:\n - v1beta1\n operations:\n - CREATE\n - UPDATE\n resources:\n - experiments\n sideEffects: None\n"
},
{
"path": "manifest1.3/020-centraldashboard-overlays-istio.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n - app.k8s.io\n resources:\n - applications\n - pods\n - pods/exec\n - pods/log\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - secrets\n - configmaps\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\nrules:\n- apiGroups:\n - \"\"\n resources:\n - events\n - namespaces\n - nodes\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: centraldashboard\nsubjects:\n- kind: ServiceAccount\n name: centraldashboard\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: centraldashboard\nsubjects:\n- kind: ServiceAccount\n name: centraldashboard\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n links: |-\n {\n \"menuLinks\": [\n {\n \"type\": \"item\",\n \"link\": \"/jupyter/\",\n \"text\": \"Notebooks\",\n \"icon\": \"book\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/tensorboards/\",\n \"text\": \"Tensorboards\",\n \"icon\": \"assessment\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/volumes/\",\n \"text\": \"Volumes\",\n \"icon\": \"device:storage\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/katib/\",\n \"text\": \"Experiments (AutoML)\",\n \"icon\": \"kubeflow:katib\"\n },\n {\n \"type\": \"item\",\n \"text\": \"Experiments (KFP)\",\n \"link\": \"/pipeline/#/experiments\",\n \"icon\": \"done-all\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/pipeline/#/pipelines\",\n \"text\": \"Pipelines\",\n \"icon\": \"kubeflow:pipeline-centered\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/pipeline/#/runs\",\n \"text\": \"Runs\",\n \"icon\": \"maps:directions-run\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/pipeline/#/recurringruns\",\n \"text\": \"Recurring Runs\",\n \"icon\": \"device:access-alarm\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/pipeline/#/artifacts\",\n \"text\": \"Artifacts\",\n \"icon\": \"editor:bubble-chart\"\n },\n {\n \"type\": \"item\",\n \"link\": \"/pipeline/#/executions\",\n \"text\": \"Executions\",\n \"icon\": \"av:play-arrow\"\n }\n ],\n \"externalLinks\": [ ],\n \"quickLinks\": [\n {\n \"text\": \"Upload a pipeline\",\n \"desc\": \"Pipelines\",\n \"link\": \"/pipeline/\"\n },\n {\n \"text\": \"View all pipeline runs\",\n \"desc\": \"Pipelines\",\n \"link\": \"/pipeline/#/runs\"\n },\n {\n \"text\": \"Create a new Notebook server\",\n \"desc\": \"Notebook Servers\",\n \"link\": \"/jupyter/new?namespace=kubeflow\"\n },\n {\n \"text\": \"View Katib Experiments\",\n \"desc\": \"Katib\",\n \"link\": \"/katib/\"\n }\n ],\n \"documentationItems\": [\n {\n \"text\": \"Getting Started with Kubeflow\",\n \"desc\": \"Get your machine-learning workflow up and running on Kubeflow\",\n \"link\": \"https://www.kubeflow.org/docs/started/getting-started/\"\n },\n {\n \"text\": \"MiniKF\",\n \"desc\": \"A fast and easy way to deploy Kubeflow locally\",\n \"link\": \"https://www.kubeflow.org/docs/started/getting-started-minikf/\"\n },\n {\n \"text\": \"Microk8s for Kubeflow\",\n \"desc\": \"Quickly get Kubeflow running locally on native hypervisors\",\n \"link\": \"https://www.kubeflow.org/docs/started/getting-started-multipass/\"\n },\n {\n \"text\": \"Minikube for Kubeflow\",\n \"desc\": \"Quickly get Kubeflow running locally\",\n \"link\": \"https://www.kubeflow.org/docs/started/getting-started-minikube/\"\n },\n {\n \"text\": \"Kubeflow on GCP\",\n \"desc\": \"Running Kubeflow on Kubernetes Engine and Google Cloud Platform\",\n \"link\": \"https://www.kubeflow.org/docs/gke/\"\n },\n {\n \"text\": \"Kubeflow on AWS\",\n \"desc\": \"Running Kubeflow on Elastic Container Service and Amazon Web Services\",\n \"link\": \"https://www.kubeflow.org/docs/aws/\"\n },\n {\n \"text\": \"Requirements for Kubeflow\",\n \"desc\": \"Get more detailed information about using Kubeflow and its components\",\n \"link\": \"https://www.kubeflow.org/docs/started/requirements/\"\n }\n ]\n }\n settings: |-\n {\n \"DASHBOARD_FORCE_IFRAME\": true\n }\nkind: ConfigMap\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard-config\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n CD_CLUSTER_DOMAIN: cluster.local\n CD_REGISTRATION_FLOW: \"false\"\n CD_USERID_HEADER: kubeflow-userid\n CD_USERID_PREFIX: \"\"\nkind: ConfigMap\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard-parameters\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\n namespace: kubeflow\nspec:\n ports:\n - port: 80\n protocol: TCP\n targetPort: 8082\n selector:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n sessionAffinity: None\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n spec:\n containers:\n - env:\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n - name: PROFILES_KFAM_SERVICE_HOST\n value: profiles-kfam.kubeflow\n - name: REGISTRATION_FLOW\n value: \"false\"\n - name: DASHBOARD_LINKS_CONFIGMAP\n value: centraldashboard-config\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-central-dashboard:v1.3.0-rc.0-a0ffd\n imagePullPolicy: IfNotPresent\n livenessProbe:\n httpGet:\n path: /healthz\n port: 8082\n initialDelaySeconds: 30\n periodSeconds: 30\n name: centraldashboard\n ports:\n - containerPort: 8082\n protocol: TCP\n serviceAccountName: centraldashboard\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n app: centraldashboard\n app.kubernetes.io/component: centraldashboard\n app.kubernetes.io/name: centraldashboard\n kustomize.component: centraldashboard\n name: centraldashboard\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - match:\n - uri:\n prefix: /\n rewrite:\n uri: /\n route:\n - destination:\n host: centraldashboard.kubeflow.svc.cluster.local\n port:\n number: 80\n"
},
{
"path": "manifest1.3/021-admission-webhook-overlays-cert-manager.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: poddefaults.kubeflow.org\nspec:\n group: kubeflow.org\n names:\n kind: PodDefault\n plural: poddefaults\n singular: poddefault\n scope: Namespaced\n validation:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n desc:\n type: string\n env:\n items:\n type: object\n type: array\n envFrom:\n items:\n type: object\n type: array\n selector:\n type: object\n serviceAccountName:\n type: string\n volumeMounts:\n items:\n type: object\n type: array\n volumes:\n items:\n type: object\n type: array\n required:\n - selector\n type: object\n status:\n type: object\n type: object\n version: v1alpha1\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-cluster-role\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - poddefaults\n verbs:\n - get\n - watch\n - list\n - update\n - create\n - patch\n - delete\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: admission-webhook-kubeflow-poddefaults-admin\nrules: []\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: admission-webhook-kubeflow-poddefaults-edit\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: admission-webhook-kubeflow-poddefaults-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - poddefaults\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: admission-webhook-cluster-role\nsubjects:\n- kind: ServiceAccount\n name: admission-webhook-service-account\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-service\n namespace: kubeflow\nspec:\n ports:\n - name: https-webhook\n port: 443\n targetPort: https-webhook\n selector:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-deployment\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n spec:\n containers:\n - args:\n - --tlsCertFile=/etc/webhook/certs/tls.crt\n - --tlsKeyFile=/etc/webhook/certs/tls.key\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-admission-webhook:v1.3.0-rc.0-cc332\n name: admission-webhook\n ports:\n - containerPort: 4443\n name: https-webhook\n volumeMounts:\n - mountPath: /etc/webhook/certs\n name: webhook-cert\n readOnly: true\n serviceAccountName: admission-webhook-service-account\n volumes:\n - name: webhook-cert\n secret:\n secretName: webhook-certs\n---\napiVersion: cert-manager.io/v1alpha2\nkind: Certificate\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-cert\n namespace: kubeflow\nspec:\n commonName: admission-webhook-service.kubeflow.svc\n dnsNames:\n - admission-webhook-service.kubeflow.svc\n - admission-webhook-service.kubeflow.svc.cluster.local\n isCA: true\n issuerRef:\n kind: Issuer\n name: admission-webhook-selfsigned-issuer\n secretName: webhook-certs\n---\napiVersion: cert-manager.io/v1alpha2\nkind: Issuer\nmetadata:\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-selfsigned-issuer\n namespace: kubeflow\nspec:\n selfSigned: {}\n---\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: MutatingWebhookConfiguration\nmetadata:\n annotations:\n cert-manager.io/inject-ca-from: kubeflow/admission-webhook-cert\n labels:\n app: poddefaults\n app.kubernetes.io/component: poddefaults\n app.kubernetes.io/name: poddefaults\n kustomize.component: poddefaults\n name: admission-webhook-mutating-webhook-configuration\nwebhooks:\n- clientConfig:\n caBundle: \"\"\n service:\n name: admission-webhook-service\n namespace: kubeflow\n path: /apply-poddefault\n name: admission-webhook-deployment.kubeflow.org\n namespaceSelector:\n matchLabels:\n app.kubernetes.io/part-of: kubeflow-profile\n rules:\n - apiGroups:\n - \"\"\n apiVersions:\n - v1\n operations:\n - CREATE\n resources:\n - pods\n"
},
{
"path": "manifest1.3/022-jupyter-overlays-istio.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: Role\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-jupyter-notebook-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - pods\n - pods/log\n - secrets\n - services\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n - apps\n - extensions\n resources:\n - deployments\n - replicasets\n verbs:\n - '*'\n- apiGroups:\n - kubeflow.org\n resources:\n - '*'\n verbs:\n - '*'\n- apiGroups:\n - batch\n resources:\n - jobs\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-cluster-role\nrules:\n- apiGroups:\n - \"\"\n resources:\n - namespaces\n verbs:\n - get\n - list\n - create\n - delete\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - kubeflow.org\n resources:\n - notebooks\n - notebooks/finalizers\n - poddefaults\n verbs:\n - get\n - list\n - create\n - delete\n - patch\n - update\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - create\n - delete\n - get\n - list\n- apiGroups:\n - \"\"\n resources:\n - events\n - nodes\n verbs:\n - list\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: jupyter-web-app-kubeflow-notebook-ui-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: jupyter-web-app-kubeflow-notebook-ui-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - notebooks\n - notebooks/finalizers\n - poddefaults\n verbs:\n - get\n - list\n - create\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: jupyter-web-app-kubeflow-notebook-ui-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - notebooks\n - notebooks/finalizers\n - poddefaults\n verbs:\n - get\n - list\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: RoleBinding\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-jupyter-notebook-role-binding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: jupyter-web-app-jupyter-notebook-role\nsubjects:\n- kind: ServiceAccount\n name: jupyter-notebook\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: jupyter-web-app-cluster-role\nsubjects:\n- kind: ServiceAccount\n name: jupyter-web-app-service-account\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n spawner_ui_config.yaml: |\n # Configuration file for the Jupyter UI.\n #\n # Each Jupyter UI option is configured by two keys: 'value' and 'readOnly'\n # - The 'value' key contains the default value\n # - The 'readOnly' key determines if the option will be available to users\n #\n # If the 'readOnly' key is present and set to 'true', the respective option\n # will be disabled for users and only set by the admin. Also when a\n # Notebook is POSTED to the API if a necessary field is not present then\n # the value from the config will be used.\n #\n # If the 'readOnly' key is missing (defaults to 'false'), the respective option\n # will be available for users to edit.\n #\n # Note that some values can be templated. Such values are the names of the\n # Volumes as well as their StorageClass\n spawnerFormDefaults:\n image:\n # The container Image for the user's Jupyter Notebook\n value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:v1.3.0-rc.0\n # The list of available standard container Images\n options:\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:v1.3.0-rc.0\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-full:v1.3.0-rc.0\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-cuda-full:v1.3.0-rc.0\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-full:v1.3.0-rc.0\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-cuda-full:v1.3.0-rc.0\n imageVSCode:\n # The container Image for the user's VS-Code Server\n value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python:v1.3.0-rc.0\n # The list of available standard container Images\n options:\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python:v1.3.0-rc.0\n imageRStudio:\n # The container Image for the user's RStudio Server\n value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse:v1.3.0-rc.0\n # The list of available standard container Images\n options:\n - public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse:v1.3.0-rc.0\n allowCustomImage: true\n imagePullPolicy:\n value: IfNotPresent\n readOnly: false\n cpu:\n # CPU for user's Notebook\n value: '0.5'\n readOnly: false\n memory:\n # Memory for user's Notebook\n value: 1.0Gi\n readOnly: false\n workspaceVolume:\n # Workspace Volume to be attached to user's Notebook\n # Each Workspace Volume is declared with the following attributes:\n # Type, Name, Size, MountPath and Access Mode\n value:\n type:\n # The Type of the Workspace Volume\n # Supported values: 'New', 'Existing'\n value: New\n name:\n # The Name of the Workspace Volume\n # Note that this is a templated value. Special values:\n # {notebook-name}: Replaced with the name of the Notebook. The frontend\n # will replace this value as the user types the name\n value: 'workspace-{notebook-name}'\n size:\n # The Size of the Workspace Volume (in Gi)\n value: '10Gi'\n mountPath:\n # The Path that the Workspace Volume will be mounted\n value: /home/jovyan\n accessModes:\n # The Access Mode of the Workspace Volume\n # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany'\n value: ReadWriteOnce\n class:\n # The StrageClass the PVC will use if type is New. Special values are:\n # {none}: default StorageClass\n # {empty}: empty string \"\"\n value: '{none}'\n readOnly: false\n dataVolumes:\n # List of additional Data Volumes to be attached to the user's Notebook\n value: []\n # Each Data Volume is declared with the following attributes:\n # Type, Name, Size, MountPath and Access Mode\n #\n # For example, a list with 2 Data Volumes:\n # value:\n # - value:\n # type:\n # value: New\n # name:\n # value: '{notebook-name}-vol-1'\n # size:\n # value: '10Gi'\n # class:\n # value: standard\n # mountPath:\n # value: /home/jovyan/vol-1\n # accessModes:\n # value: ReadWriteOnce\n # class:\n # value: {none}\n # - value:\n # type:\n # value: New\n # name:\n # value: '{notebook-name}-vol-2'\n # size:\n # value: '10Gi'\n # mountPath:\n # value: /home/jovyan/vol-2\n # accessModes:\n # value: ReadWriteMany\n # class:\n # value: {none}\n readOnly: false\n gpus:\n # Number of GPUs to be assigned to the Notebook Container\n value:\n # values: \"none\", \"1\", \"2\", \"4\", \"8\"\n num: \"none\"\n # Determines what the UI will show and send to the backend\n vendors:\n - limitsKey: \"nvidia.com/gpu\"\n uiName: \"NVIDIA\"\n - limitsKey: \"amd.com/gpu\"\n uiName: \"AMD\"\n # Values: \"\" or a `limits-key` from the vendors list\n vendor: \"\"\n readOnly: false\n shm:\n value: true\n readOnly: false\n configurations:\n # List of labels to be selected, these are the labels from PodDefaults\n # value:\n # - add-gcp-secret\n # - default-editor\n value: []\n readOnly: false\n affinityConfig:\n # The default `configKey` from the options list\n # If readonly, the default value will be the only option\n value: \"none\"\n # The list of available affinity configs\n options: []\n # # (DESC) Pod gets an exclusive \"n1-standard-2\" Node\n # # (TIP) set PreferNoSchedule taint on this node-pool\n # # (TIP) enable cluster-autoscaler on this node-pool\n # # (TIP) dont let users request more CPU/MEMORY than the size of this node\n # - configKey: \"exclusive__n1-standard-2\"\n # displayName: \"Exclusive: n1-standard-2\"\n # affinity:\n # # (Require) Node having label: `node_pool=notebook-n1-standard-2`\n # nodeAffinity:\n # requiredDuringSchedulingIgnoredDuringExecution:\n # nodeSelectorTerms:\n # - matchExpressions:\n # - key: \"node_pool\"\n # operator: \"In\"\n # values:\n # - \"notebook-n1-standard-2\"\n # # (Require) Node WITHOUT existing Pod having label: `notebook-name`\n # podAntiAffinity:\n # requiredDuringSchedulingIgnoredDuringExecution:\n # - labelSelector:\n # matchExpressions:\n # - key: \"notebook-name\"\n # operator: \"Exists\"\n # namespaces: []\n # topologyKey: \"kubernetes.io/hostname\"\n readOnly: false\n tolerationGroup:\n # The default `groupKey` from the options list\n # If readonly, the default value will be the only option\n value: \"none\"\n # The list of available tolerationGroup configs\n options: []\n # - groupKey: \"group_1\"\n # displayName: \"Group 1: description\"\n # tolerations:\n # - key: \"key1\"\n # operator: \"Equal\"\n # value: \"value1\"\n # effect: \"NoSchedule\"\n # - key: \"key2\"\n # operator: \"Equal\"\n # value: \"value2\"\n # effect: \"NoSchedule\"\n readOnly: false\nkind: ConfigMap\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-config-tkhtgh5mcm\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n JWA_CLUSTER_DOMAIN: cluster.local\n JWA_PREFIX: /jupyter\n JWA_UI: default\n JWA_USERID_HEADER: kubeflow-userid\n JWA_USERID_PREFIX: \"\"\nkind: ConfigMap\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-parameters-chmg88cm48\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n run: jupyter-web-app\n name: jupyter-web-app-service\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 5000\n selector:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n spec:\n containers:\n - env:\n - name: APP_PREFIX\n value: /jupyter\n - name: UI\n value: default\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-jupyter-web-app:v1.3.0-rc.0-70edb\n name: jupyter-web-app\n ports:\n - containerPort: 5000\n volumeMounts:\n - mountPath: /etc/config\n name: config-volume\n serviceAccountName: jupyter-web-app-service-account\n volumes:\n - configMap:\n name: jupyter-web-app-config-tkhtgh5mcm\n name: config-volume\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-jupyter-web-app\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - headers:\n request:\n add:\n x-forwarded-prefix: /jupyter\n match:\n - uri:\n prefix: /jupyter/\n rewrite:\n uri: /\n route:\n - destination:\n host: jupyter-web-app-service.kubeflow.svc.cluster.local\n port:\n number: 80\n"
},
{
"path": "manifest1.3/023-jupyter-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebooks.kubeflow.org\nspec:\n group: kubeflow.org\n names:\n kind: Notebook\n plural: notebooks\n singular: notebook\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n properties:\n template:\n description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run \"make\" to regenerate code after modifying this file'\n properties:\n spec:\n type: object\n type: object\n type: object\n status:\n properties:\n conditions:\n description: Conditions is an array of current conditions\n items:\n properties:\n type:\n description: Type of the confition/\n type: string\n required:\n - type\n type: object\n type: array\n required:\n - conditions\n type: object\n versions:\n - name: v1alpha1\n served: true\n storage: false\n - name: v1beta1\n served: true\n storage: false\n - name: v1\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-leader-election-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps/status\n verbs:\n - get\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: notebook-controller-kubeflow-notebooks-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: \"true\"\n name: notebook-controller-kubeflow-notebooks-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - notebooks\n - notebooks/status\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: notebook-controller-kubeflow-notebooks-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - notebooks\n - notebooks/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n creationTimestamp: null\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-role\nrules:\n- apiGroups:\n - apps\n resources:\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - services\n verbs:\n - '*'\n- apiGroups:\n - kubeflow.org\n resources:\n - notebooks\n - notebooks/finalizers\n - notebooks/status\n verbs:\n - '*'\n- apiGroups:\n - networking.istio.io\n resources:\n - virtualservices\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-leader-election-rolebinding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: notebook-controller-leader-election-role\nsubjects:\n- kind: ServiceAccount\n name: notebook-controller-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: notebook-controller-role\nsubjects:\n- kind: ServiceAccount\n name: notebook-controller-service-account\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n ISTIO_GATEWAY: kubeflow/kubeflow-gateway\n USE_ISTIO: \"true\"\nkind: ConfigMap\nmetadata:\n annotations: {}\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-config-m44cmb547t\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-service\n namespace: kubeflow\nspec:\n ports:\n - port: 443\n selector:\n app: notebook-controller\n kustomize.component: notebook-controller\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n name: notebook-controller-deployment\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: notebook-controller\n kustomize.component: notebook-controller\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: notebook-controller\n kustomize.component: notebook-controller\n spec:\n containers:\n - command:\n - /manager\n env:\n - name: USE_ISTIO\n valueFrom:\n configMapKeyRef:\n key: USE_ISTIO\n name: notebook-controller-config-m44cmb547t\n - name: ISTIO_GATEWAY\n valueFrom:\n configMapKeyRef:\n key: ISTIO_GATEWAY\n name: notebook-controller-config-m44cmb547t\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-notebook-controller:v1.3.0-rc.0-4c9fa\n imagePullPolicy: Always\n livenessProbe:\n httpGet:\n path: /metrics\n port: 8080\n initialDelaySeconds: 30\n periodSeconds: 30\n name: manager\n serviceAccountName: notebook-controller-service-account\n"
},
{
"path": "manifest1.3/024-profiles-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: v0.4.0\n labels:\n kustomize.component: profiles\n name: profiles.kubeflow.org\nspec:\n conversion:\n strategy: None\n group: kubeflow.org\n names:\n kind: Profile\n listKind: ProfileList\n plural: profiles\n singular: profile\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Profile is the Schema for the profiles API\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: ProfileSpec defines the desired state of Profile\n properties:\n owner:\n description: The profile owner\n properties:\n apiGroup:\n description: APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.\n type: string\n kind:\n description: Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.\n type: string\n name:\n description: Name of the object being referenced.\n type: string\n namespace:\n description: Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.\n type: string\n required:\n - kind\n - name\n type: object\n plugins:\n items:\n description: Plugin is for customize actions on different platform.\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n spec:\n type: object\n type: object\n type: array\n resourceQuotaSpec:\n description: Resourcequota that will be applied to target namespace\n properties:\n hard:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'\n type: object\n scopeSelector:\n description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.\n properties:\n matchExpressions:\n description: A list of scope selector requirements by scope of the resources.\n items:\n description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.\n properties:\n operator:\n description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.\n type: string\n scopeName:\n description: The name of the scope that the selector applies to.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - operator\n - scopeName\n type: object\n type: array\n type: object\n scopes:\n description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.\n items:\n description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota\n type: string\n type: array\n type: object\n type: object\n status:\n description: ProfileStatus defines the observed state of Profile\n properties:\n conditions:\n items:\n properties:\n message:\n type: string\n status:\n type: string\n type:\n type: string\n type: object\n type: array\n type: object\n type: object\n served: true\n storage: true\n subresources:\n status: {}\n - name: v1beta1\n schema:\n openAPIV3Schema:\n description: Profile is the Schema for the profiles API\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: ProfileSpec defines the desired state of Profile\n properties:\n owner:\n description: The profile owner\n properties:\n apiGroup:\n description: APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.\n type: string\n kind:\n description: Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.\n type: string\n name:\n description: Name of the object being referenced.\n type: string\n namespace:\n description: Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.\n type: string\n required:\n - kind\n - name\n type: object\n plugins:\n items:\n description: Plugin is for customize actions on different platform.\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n spec:\n type: object\n type: object\n type: array\n resourceQuotaSpec:\n description: Resourcequota that will be applied to target namespace\n properties:\n hard:\n additionalProperties:\n anyOf:\n - type: integer\n - type: string\n pattern: ^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$\n x-kubernetes-int-or-string: true\n description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'\n type: object\n scopeSelector:\n description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.\n properties:\n matchExpressions:\n description: A list of scope selector requirements by scope of the resources.\n items:\n description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.\n properties:\n operator:\n description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.\n type: string\n scopeName:\n description: The name of the scope that the selector applies to.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - operator\n - scopeName\n type: object\n type: array\n type: object\n scopes:\n description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.\n items:\n description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota\n type: string\n type: array\n type: object\n type: object\n status:\n description: ProfileStatus defines the observed state of Profile\n properties:\n conditions:\n items:\n properties:\n message:\n type: string\n status:\n type: string\n type:\n type: string\n type: object\n type: array\n type: object\n type: object\n served: true\n storage: false\n subresources:\n status: {}\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-controller-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-leader-election-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps/status\n verbs:\n - get\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-leader-election-rolebinding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: profiles-leader-election-role\nsubjects:\n- kind: ServiceAccount\n name: profiles-controller-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n name: profiles-controller-service-account\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n ADMIN: \"\"\n USERID_HEADER: kubeflow-userid\n USERID_PREFIX: \"\"\n WORKLOAD_IDENTITY: \"\"\nkind: ConfigMap\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-config-46c7tgh6fd\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-kfam\n namespace: kubeflow\nspec:\n ports:\n - port: 8081\n selector:\n kustomize.component: profiles\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n kustomize.component: profiles\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n kustomize.component: profiles\n spec:\n containers:\n - command:\n - /access-management\n - -cluster-admin\n - $(ADMIN)\n - -userid-header\n - $(USERID_HEADER)\n - -userid-prefix\n - $(USERID_PREFIX)\n envFrom:\n - configMapRef:\n name: profiles-config-46c7tgh6fd\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-access-management:v1.3.0-rc.0-a869b\n imagePullPolicy: Always\n livenessProbe:\n httpGet:\n path: /metrics\n port: 8081\n initialDelaySeconds: 30\n periodSeconds: 30\n name: kfam\n ports:\n - containerPort: 8081\n name: kfam-http\n protocol: TCP\n - command:\n - /manager\n - -userid-header\n - $(USERID_HEADER)\n - -userid-prefix\n - $(USERID_PREFIX)\n - -workload-identity\n - $(WORKLOAD_IDENTITY)\n envFrom:\n - configMapRef:\n name: profiles-config-46c7tgh6fd\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-profile-controller:v1.3.0-rc.0-ce3b3\n imagePullPolicy: Always\n livenessProbe:\n httpGet:\n path: /metrics\n port: 8080\n initialDelaySeconds: 30\n periodSeconds: 30\n name: manager\n ports:\n - containerPort: 8080\n name: manager-http\n protocol: TCP\n serviceAccountName: profiles-controller-service-account\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n kustomize.component: profiles\n name: profiles-kfam\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - headers:\n request:\n add:\n x-forwarded-prefix: /kfam\n match:\n - uri:\n prefix: /kfam/\n rewrite:\n uri: /kfam/\n route:\n - destination:\n host: profiles-kfam.kubeflow.svc.cluster.local\n port:\n number: 8081\n"
},
{
"path": "manifest1.3/025-volumes-web-app-overlays-istio.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-cluster-role\nrules:\n- apiGroups:\n - \"\"\n resources:\n - namespaces\n - pods\n verbs:\n - get\n - list\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - create\n - delete\n - get\n - list\n - watch\n - update\n - patch\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - list\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: volumes-web-app-kubeflow-volume-ui-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: volumes-web-app-kubeflow-volume-ui-edit\nrules:\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - create\n - delete\n - get\n - list\n - watch\n - update\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: volumes-web-app-kubeflow-volume-ui-view\nrules:\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: volumes-web-app-cluster-role\nsubjects:\n- kind: ServiceAccount\n name: volumes-web-app-service-account\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n VWA_CLUSTER_DOMAIN: cluster.local\n VWA_PREFIX: /volumes\n VWA_USERID_HEADER: kubeflow-userid\n VWA_USERID_PREFIX: \"\"\nkind: ConfigMap\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-parameters-4gg8cm2gmk\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n run: volumes-web-app\n name: volumes-web-app-service\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 5000\n selector:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n spec:\n containers:\n - env:\n - name: APP_PREFIX\n value: /volumes\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-volumes-web-app:v1.3.0-rc.0-fe235\n name: volumes-web-app\n ports:\n - containerPort: 5000\n serviceAccountName: volumes-web-app-service-account\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-volumes-web-app\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - headers:\n request:\n add:\n x-forwarded-prefix: /volumes\n match:\n - uri:\n prefix: /volumes/\n rewrite:\n uri: /\n route:\n - destination:\n host: volumes-web-app-service.kubeflow.svc.cluster.local\n port:\n number: 80\n"
},
{
"path": "manifest1.3/026-tensorboard-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n creationTimestamp: null\n name: tensorboards.tensorboard.kubeflow.org\nspec:\n group: tensorboard.kubeflow.org\n names:\n kind: Tensorboard\n listKind: TensorboardList\n plural: tensorboards\n singular: tensorboard\n scope: \"\"\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n description: Tensorboard is the Schema for the tensorboards API\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: TensorboardSpec defines the desired state of Tensorboard\n properties:\n logspath:\n description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run \"make\" to regenerate code after modifying this file'\n type: string\n required:\n - logspath\n type: object\n status:\n description: TensorboardStatus defines the observed state of Tensorboard\n properties:\n conditions:\n description: Conditions is an array of current conditions\n items:\n description: TensorboardCondition defines the observed state of Tensorboard\n properties:\n deploymentState:\n description: Deployment status, 'Available', 'Progressing', 'ReplicaFailure' .\n type: string\n lastProbeTime:\n description: Last time we probed the condition.\n format: date-time\n type: string\n required:\n - deploymentState\n type: object\n type: array\n readyReplicas:\n description: ReadyReplicas defines the number of Tensorboard Servers that are available to connect. The value of ReadyReplicas can be either 0 or 1\n format: int32\n type: integer\n required:\n - conditions\n - readyReplicas\n type: object\n type: object\n version: v1alpha1\n versions:\n - name: v1alpha1\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: tensorboard-controller\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: tensorboard-controller-leader-election-role\n namespace: kubeflow\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps/status\n verbs:\n - get\n - update\n - patch\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n creationTimestamp: null\n name: tensorboard-controller-manager-role\nrules:\n- apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - create\n - get\n - list\n - update\n - watch\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - services\n verbs:\n - create\n - get\n - list\n - update\n - watch\n- apiGroups:\n - networking.istio.io\n resources:\n - virtualservices\n verbs:\n - create\n - get\n - list\n - update\n - watch\n- apiGroups:\n - tensorboard.kubeflow.org\n resources:\n - tensorboards\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n- apiGroups:\n - tensorboard.kubeflow.org\n resources:\n - tensorboards/status\n verbs:\n - get\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: tensorboard-controller-proxy-role\nrules:\n- apiGroups:\n - authentication.k8s.io\n resources:\n - tokenreviews\n verbs:\n - create\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: tensorboard-controller-leader-election-rolebinding\n namespace: kubeflow\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: tensorboard-controller-leader-election-role\nsubjects:\n- kind: ServiceAccount\n name: tensorboard-controller\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: tensorboard-controller-manager-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: tensorboard-controller-manager-role\nsubjects:\n- kind: ServiceAccount\n name: tensorboard-controller\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: tensorboard-controller-proxy-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: tensorboard-controller-proxy-role\nsubjects:\n- kind: ServiceAccount\n name: tensorboard-controller\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n RWO_PVC_SCHEDULING: \"True\"\nkind: ConfigMap\nmetadata:\n name: tensorboard-controller-config-bf88mm96c8\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n annotations:\n prometheus.io/port: \"8443\"\n prometheus.io/scheme: https\n prometheus.io/scrape: \"true\"\n labels:\n control-plane: controller-manager\n name: tensorboard-controller-controller-manager-metrics-service\n namespace: kubeflow\nspec:\n ports:\n - name: https\n port: 8443\n targetPort: https\n selector:\n control-plane: controller-manager\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n control-plane: controller-manager\n name: tensorboard-controller-controller-manager\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n control-plane: controller-manager\n template:\n metadata:\n labels:\n control-plane: controller-manager\n spec:\n containers:\n - args:\n - --metrics-addr=127.0.0.1:8080\n - --enable-leader-election\n command:\n - /manager\n envFrom:\n - configMapRef:\n name: tensorboard-controller-config-bf88mm96c8\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-tensorboard-controller:v1.3.0-rc.0-31ba9\n name: manager\n resources:\n limits:\n cpu: 100m\n memory: 30Mi\n requests:\n cpu: 100m\n memory: 20Mi\n - args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=10\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubebuilder-kube-rbac-proxy:v0.4.0-83234\n name: kube-rbac-proxy\n ports:\n - containerPort: 8443\n name: https\n serviceAccountName: tensorboard-controller\n terminationGracePeriodSeconds: 10\n"
},
{
"path": "manifest1.3/027-tensorboard-overlays-istio.yaml",
"content": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-cluster-role\nrules:\n- apiGroups:\n - \"\"\n resources:\n - namespaces\n verbs:\n - get\n - list\n- apiGroups:\n - authorization.k8s.io\n resources:\n - subjectaccessreviews\n verbs:\n - create\n- apiGroups:\n - tensorboard.kubeflow.org\n resources:\n - tensorboards\n - tensorboards/finalizers\n verbs:\n - get\n - list\n - create\n - delete\n- apiGroups:\n - \"\"\n resources:\n - persistentvolumeclaims\n verbs:\n - create\n - delete\n - get\n - list\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: tensorboards-web-app-kubeflow-tensorboard-ui-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n name: tensorboards-web-app-kubeflow-tensorboard-ui-edit\nrules:\n- apiGroups:\n - tensorboard.kubeflow.org\n resources:\n - tensorboards\n - tensorboards/finalizers\n verbs:\n - get\n - list\n - create\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: tensorboards-web-app-kubeflow-tensorboard-ui-view\nrules:\n- apiGroups:\n - tensorboard.kubeflow.org\n resources:\n - tensorboards\n - tensorboards/finalizers\n verbs:\n - get\n - list\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: tensorboards-web-app-cluster-role\nsubjects:\n- kind: ServiceAccount\n name: tensorboards-web-app-service-account\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n TWA_CLUSTER_DOMAIN: cluster.local\n TWA_PREFIX: /tensorboards\n TWA_USERID_HEADER: kubeflow-userid\n TWA_USERID_PREFIX: \"\"\nkind: ConfigMap\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-parameters-g28fbd6cch\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n run: tensorboards-web-app\n name: tensorboards-web-app-service\n namespace: kubeflow\nspec:\n ports:\n - name: http\n port: 80\n protocol: TCP\n targetPort: 5000\n selector:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n spec:\n containers:\n - env:\n - name: APP_PREFIX\n value: /tensorboards\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-tensorboards-web-app:v1.3.0-rc.0-258dd\n name: tensorboards-web-app\n ports:\n - containerPort: 5000\n serviceAccountName: tensorboards-web-app-service-account\n---\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-tensorboards-web-app\n namespace: kubeflow\nspec:\n gateways:\n - kubeflow-gateway\n hosts:\n - '*'\n http:\n - headers:\n request:\n add:\n x-forwarded-prefix: /tensorboards\n match:\n - uri:\n prefix: /tensorboards/\n rewrite:\n uri: /\n route:\n - destination:\n host: tensorboards-web-app-service.kubeflow.svc.cluster.local\n port:\n number: 80\n"
},
{
"path": "manifest1.3/028-tf-training-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tfjobs.kubeflow.org\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[-1:].type\n name: State\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: kubeflow.org\n names:\n kind: TFJob\n plural: tfjobs\n singular: tfjob\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n tfReplicaSpecs:\n properties:\n Chief:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n Evaluator:\n properties:\n replicas:\n minimum: 0\n type: integer\n PS:\n properties:\n replicas:\n minimum: 1\n type: integer\n Worker:\n properties:\n replicas:\n minimum: 1\n type: integer\n versions:\n - name: v1\n served: true\n storage: true\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\n namespace: kubeflow\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-tfjobs-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: \"true\"\n name: kubeflow-tfjobs-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - tfjobs\n - tfjobs/status\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-tfjobs-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - tfjobs\n - tfjobs/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - tfjobs\n - tfjobs/status\n - tfjobs/finalizers\n verbs:\n - '*'\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - pods\n - services\n - endpoints\n - events\n verbs:\n - '*'\n- apiGroups:\n - apps\n - extensions\n resources:\n - deployments\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: tf-job-operator\nsubjects:\n- kind: ServiceAccount\n name: tf-job-operator\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n annotations:\n prometheus.io/path: /metrics\n prometheus.io/port: \"8443\"\n prometheus.io/scrape: \"true\"\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\n namespace: kubeflow\nspec:\n ports:\n - name: monitoring-port\n port: 8443\n targetPort: 8443\n selector:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: tf-job-operator\n app.kubernetes.io/component: tfjob\n app.kubernetes.io/name: tf-job-operator\n kustomize.component: tf-job-operator\n name: tf-job-operator\n spec:\n containers:\n - args:\n - -monitoring-port=8443\n env:\n - name: MY_POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/training-tf-operator:cd2fc1ff397b1f349f68524f4abd5013a32e3033-b54e1\n name: tf-job-operator\n serviceAccountName: tf-job-operator\n"
},
{
"path": "manifest1.3/029-pytorch-job-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorchjobs.kubeflow.org\nspec:\n additionalPrinterColumns:\n - JSONPath: .status.conditions[-1:].type\n name: State\n type: string\n - JSONPath: .metadata.creationTimestamp\n name: Age\n type: date\n group: kubeflow.org\n names:\n kind: PyTorchJob\n plural: pytorchjobs\n singular: pytorchjob\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n pytorchReplicaSpecs:\n properties:\n Master:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n Worker:\n properties:\n replicas:\n minimum: 1\n type: integer\n versions:\n - name: v1\n served: true\n storage: true\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\n namespace: kubeflow\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-pytorchjobs-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: \"true\"\n name: kubeflow-pytorchjobs-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - pytorchjobs\n - pytorchjobs/status\n - pytorchjobs/finalizers\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-pytorchjobs-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - pytorchjobs\n - pytorchjobs/status\n - pytorchjobs/finalizers\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - pytorchjobs\n - pytorchjobs/status\n - pytorchjobs/finalizers\n verbs:\n - '*'\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - pods\n - services\n - endpoints\n - events\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: pytorch-operator\nsubjects:\n- kind: ServiceAccount\n name: pytorch-operator\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n annotations:\n prometheus.io/path: /metrics\n prometheus.io/port: \"8443\"\n prometheus.io/scrape: \"true\"\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\n namespace: kubeflow\nspec:\n ports:\n - name: monitoring-port\n port: 8443\n targetPort: 8443\n selector:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\n template:\n metadata:\n labels:\n app: pytorch-operator\n app.kubernetes.io/component: pytorch\n app.kubernetes.io/name: pytorch-operator\n kustomize.component: pytorch-operator\n name: pytorch-operator\n spec:\n containers:\n - command:\n - /pytorch-operator.v1\n - --alsologtostderr\n - -v=1\n - --monitoring-port=8443\n env:\n - name: MY_POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-images-public-pytorch-operator:vmaster-g518f9c76-4fc09\n name: pytorch-operator\n serviceAccountName: pytorch-operator\n"
},
{
"path": "manifest1.3/030-mpi-job-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n name: mpijobs.kubeflow.org\nspec:\n group: kubeflow.org\n names:\n kind: MPIJob\n plural: mpijobs\n shortNames:\n - mj\n - mpij\n singular: mpijob\n scope: Namespaced\n versions:\n - name: v1alpha1\n schema:\n openAPIV3Schema:\n properties:\n spec:\n description: Only one of gpus, processingUnits, or replicas should be specified\n oneOf:\n - properties:\n gpus:\n description: Valid values are 1, 2, 4, or any multiple of 8\n oneOf:\n - enum:\n - 1\n - 2\n - 4\n type: integer\n - minimum: 8\n multipleOf: 8\n type: integer\n title: Total number of GPUs\n gpusPerNode:\n description: Defaults to the number of GPUs per worker\n minimum: 1\n title: The maximum number of GPUs available per node\n type: integer\n slotsPerWorker:\n description: Defaults to the number of processing units per worker\n minimum: 1\n title: The number of slots per worker used in hostfile\n type: integer\n required:\n - gpus\n - properties:\n processingResourceType:\n description: Defaults to 'nvidia.com/gpu'\n enum:\n - nvidia.com/gpu\n - cpu\n title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu'\n type: string\n processingUnits:\n description: Valid values are 1, 2, 4, or any multiple of 8\n oneOf:\n - enum:\n - 1\n - 2\n - 4\n type: integer\n - minimum: 8\n multipleOf: 8\n type: integer\n title: Total number of processing units\n processingUnitsPerNode:\n description: Defaults to the number of processing units per worker\n minimum: 1\n title: The maximum number of processing units available per node\n type: integer\n slotsPerWorker:\n description: Defaults to the number of processing units per worker\n minimum: 1\n title: The number of slots per worker used in hostfile\n type: integer\n required:\n - processingUnits\n - properties:\n processingResourceType:\n description: Defaults to 'nvidia.com/gpu'\n enum:\n - nvidia.com/gpu\n - cpu\n title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu'\n type: string\n replicas:\n description: The processing resource limit should be specified for each replica\n minimum: 1\n title: Total number of replicas\n type: integer\n slotsPerWorker:\n description: Defaults to the number of processing units per worker\n minimum: 1\n title: The number of slots per worker used in hostfile\n type: integer\n required:\n - replicas\n title: The MPIJob spec\n served: false\n storage: false\n - name: v1alpha2\n schema:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n mpiReplicaSpecs:\n properties:\n Launcher:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n Worker:\n properties:\n replicas:\n minimum: 1\n type: integer\n slotsPerWorker:\n minimum: 1\n type: integer\n served: true\n storage: false\n - name: v1\n schema:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n mpiReplicaSpecs:\n properties:\n Launcher:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n Worker:\n properties:\n replicas:\n minimum: 1\n type: integer\n slotsPerWorker:\n minimum: 1\n type: integer\n served: true\n storage: true\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n name: mpi-operator\n namespace: kubeflow\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-mpijobs-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: \"true\"\n name: kubeflow-mpijobs-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - mpijobs\n - mpijobs/status\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-mpijobs-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - mpijobs\n - mpijobs/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n name: mpi-operator\nrules:\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - serviceaccounts\n verbs:\n - create\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"\"\n resources:\n - pods/exec\n verbs:\n - create\n- apiGroups:\n - \"\"\n resources:\n - endpoints\n verbs:\n - create\n - get\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - rbac.authorization.k8s.io\n resources:\n - roles\n - rolebindings\n verbs:\n - create\n - list\n - watch\n- apiGroups:\n - policy\n resources:\n - poddisruptionbudgets\n verbs:\n - create\n - list\n - update\n - watch\n- apiGroups:\n - apps\n resources:\n - statefulsets\n verbs:\n - create\n - list\n - update\n - watch\n- apiGroups:\n - batch\n resources:\n - jobs\n verbs:\n - create\n - list\n - update\n - watch\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - create\n - get\n- apiGroups:\n - kubeflow.org\n resources:\n - mpijobs\n - mpijobs/finalizers\n - mpijobs/status\n verbs:\n - '*'\n- apiGroups:\n - scheduling.incubator.k8s.io\n - scheduling.sigs.dev\n resources:\n - queues\n - podgroups\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n name: mpi-operator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: mpi-operator\nsubjects:\n- kind: ServiceAccount\n name: mpi-operator\n namespace: kubeflow\n---\napiVersion: v1\ndata:\n kubectl-delivery-image: mpioperator/kubectl-delivery:latest\n lock-namespace: kubeflow\nkind: ConfigMap\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n name: mpi-operator-config\n namespace: kubeflow\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n name: mpi-operator\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: mpi-operator\n app.kubernetes.io/component: mpijob\n app.kubernetes.io/name: mpi-operator\n kustomize.component: mpi-operator\n spec:\n containers:\n - args:\n - -alsologtostderr\n - --lock-namespace\n - kubeflow\n - --kubectl-delivery-image\n - mpioperator/kubectl-delivery:latest\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/mpioperator-mpi-operator:latest-d32b4\n imagePullPolicy: Always\n name: mpi-operator\n serviceAccountName: mpi-operator\n"
},
{
"path": "manifest1.3/031-mxnet-job-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n name: mxjobs.kubeflow.org\nspec:\n group: kubeflow.org\n names:\n kind: MXJob\n plural: mxjobs\n singular: mxjob\n scope: Namespaced\n subresources:\n status: {}\n validation:\n openAPIV3Schema:\n properties:\n spec:\n properties:\n mxReplicaSpecs:\n properties:\n Scheduler:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n Server:\n properties:\n replicas:\n minimum: 1\n type: integer\n Tuner:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n TunerServer:\n properties:\n replicas:\n minimum: 1\n type: integer\n TunerTracker:\n properties:\n replicas:\n maximum: 1\n minimum: 1\n type: integer\n Worker:\n properties:\n replicas:\n minimum: 1\n type: integer\n version: v1\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n name: mxnet-operator\n namespace: kubeflow\n---\naggregationRule:\n clusterRoleSelectors:\n - matchLabels:\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: \"true\"\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: \"true\"\n name: kubeflow-mxjobs-admin\nrules: []\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: \"true\"\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: \"true\"\n name: kubeflow-mxjobs-edit\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - mxjobs\n - mxjobs/status\n verbs:\n - get\n - list\n - watch\n - create\n - delete\n - deletecollection\n - patch\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: \"true\"\n name: kubeflow-mxjobs-view\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - mxjobs\n - mxjobs/status\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRole\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n name: mxnet-operator\nrules:\n- apiGroups:\n - kubeflow.org\n resources:\n - mxjobs\n verbs:\n - '*'\n- apiGroups:\n - apiextensions.k8s.io\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - '*'\n- apiGroups:\n - batch\n resources:\n - jobs\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - pods\n - services\n - endpoints\n - persistentvolumeclaims\n - events\n verbs:\n - '*'\n- apiGroups:\n - apps\n - extensions\n resources:\n - deployments\n verbs:\n - '*'\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n name: mxnet-operator\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: mxnet-operator\nsubjects:\n- kind: ServiceAccount\n name: mxnet-operator\n namespace: kubeflow\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n name: mxnet-operator\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: mxnet-operator\n app.kubernetes.io/component: mxnet\n app.kubernetes.io/name: mxnet-operator\n kustomize.component: mxnet-operator\n spec:\n containers:\n - command:\n - /opt/kubeflow/mxnet-operator.v1\n env:\n - name: MY_POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: MY_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-mxnet-operator:v1.1.0-9863e\n imagePullPolicy: Always\n name: mxnet-operator\n serviceAccountName: mxnet-operator\n"
},
{
"path": "manifest1.3/032-xgboost-job-overlays-kubeflow.yaml",
"content": "apiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n labels:\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboostjobs.xgboostjob.kubeflow.org\nspec:\n group: xgboostjob.kubeflow.org\n names:\n kind: XGBoostJob\n listKind: XGBoostJobList\n plural: xgboostjobs\n singular: xgboostjob\n scope: \"\"\n validation:\n openAPIV3Schema:\n description: XGBoostJob is the Schema for the xgboostjobs API\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: XGBoostJobSpec defines the desired state of XGBoostJob\n properties:\n activeDeadlineSeconds:\n description: Specifies the duration in seconds relative to the startTime that the job may be active before the system tries to terminate it; value must be positive integer.\n format: int64\n type: integer\n backoffLimit:\n description: Optional number of retries before marking this job failed.\n format: int32\n type: integer\n cleanPodPolicy:\n description: CleanPodPolicy defines the policy to kill pods after the job completes. Default to Running.\n type: string\n schedulingPolicy:\n description: SchedulingPolicy defines the policy related to scheduling, e.g. gang-scheduling\n properties:\n minAvailable:\n format: int32\n type: integer\n type: object\n ttlSecondsAfterFinished:\n description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since reconcile gets called periodically. Default to infinite.\n format: int32\n type: integer\n xgbReplicaSpecs:\n additionalProperties:\n description: ReplicaSpec is a description of the replica\n properties:\n replicas:\n description: Replicas is the desired number of replicas of the given template. If unspecified, defaults to 1.\n format: int32\n type: integer\n restartPolicy:\n description: Restart policy for all replicas within the job. One of Always, OnFailure, Never and ExitCode. Default to Never.\n type: string\n template:\n description: Template is the object that describes the pod that will be created for this replica. RestartPolicy in PodTemplateSpec will be overide by RestartPolicy in ReplicaSpec\n properties:\n metadata:\n description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'\n type: object\n spec:\n description: 'Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'\n properties:\n activeDeadlineSeconds:\n description: Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.\n format: int64\n type: integer\n affinity:\n description: If specified, the pod's scheduling constraints\n properties:\n nodeAffinity:\n description: Describes node affinity scheduling rules for the pod.\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.\n items:\n description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).\n properties:\n preference:\n description: A node selector term, associated with the corresponding weight.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n weight:\n description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - preference\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.\n properties:\n nodeSelectorTerms:\n description: Required. A list of node selector terms. The terms are ORed.\n items:\n description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.\n properties:\n matchExpressions:\n description: A list of node selector requirements by node's labels.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchFields:\n description: A list of node selector requirements by node's fields.\n items:\n description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: The label key that the selector applies to.\n type: string\n operator:\n description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n type: string\n values:\n description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n type: object\n type: array\n required:\n - nodeSelectorTerms\n type: object\n type: object\n podAffinity:\n description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n podAntiAffinity:\n description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).\n properties:\n preferredDuringSchedulingIgnoredDuringExecution:\n description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.\n items:\n description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)\n properties:\n podAffinityTerm:\n description: Required. A pod affinity term, associated with the corresponding weight.\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n weight:\n description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.\n format: int32\n type: integer\n required:\n - podAffinityTerm\n - weight\n type: object\n type: array\n requiredDuringSchedulingIgnoredDuringExecution:\n description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.\n items:\n description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running\n properties:\n labelSelector:\n description: A label query over a set of resources, in this case pods.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n namespaces:\n description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"\n items:\n type: string\n type: array\n topologyKey:\n description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.\n type: string\n required:\n - topologyKey\n type: object\n type: array\n type: object\n type: object\n automountServiceAccountToken:\n description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.\n type: boolean\n containers:\n description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.\n items:\n description: A single application container that you want to run within a pod.\n properties:\n args:\n description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'\n items:\n type: string\n type: array\n command:\n description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'\n items:\n type: string\n type: array\n env:\n description: List of environment variables to set in the container. Cannot be updated.\n items:\n description: EnvVar represents an environment variable present in a Container.\n properties:\n name:\n description: Name of the environment variable. Must be a C_IDENTIFIER.\n type: string\n value:\n description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".'\n type: string\n valueFrom:\n description: Source for the environment variable's value. Cannot be used if value is not empty.\n properties:\n configMapKeyRef:\n description: Selects a key of a ConfigMap.\n properties:\n key:\n description: The key to select.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap or its key must be defined\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.'\n properties:\n apiVersion:\n description: Version of the schema the FieldPath is written in terms of, defaults to \"v1\".\n type: string\n fieldPath:\n description: Path of the field to select in the specified API version.\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'\n properties:\n containerName:\n description: 'Container name: required for volumes, optional for env vars'\n type: string\n divisor:\n description: Specifies the output format of the exposed resources, defaults to \"1\"\n type: string\n resource:\n description: 'Required: resource to select'\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n description: Selects a key of a secret in the pod's namespace\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret or its key must be defined\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.\n items:\n description: EnvFromSource represents the source of a set of ConfigMaps\n properties:\n configMapRef:\n description: The ConfigMap to select from\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap must be defined\n type: boolean\n type: object\n prefix:\n description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.\n type: string\n secretRef:\n description: The Secret to select from\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret must be defined\n type: boolean\n type: object\n type: object\n type: array\n image:\n description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.'\n type: string\n imagePullPolicy:\n description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'\n type: string\n lifecycle:\n description: Actions that the management system should take in response to container lifecycle events. Cannot be updated.\n properties:\n postStart:\n description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n type: object\n preStop:\n description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n name:\n description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.\n type: string\n ports:\n description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default \"0.0.0.0\" address inside a container will be accessible from the network. Cannot be updated.\n items:\n description: ContainerPort represents a network port in a single container.\n properties:\n containerPort:\n description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.\n format: int32\n type: integer\n hostIP:\n description: What host IP to bind the external port to.\n type: string\n hostPort:\n description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.\n format: int32\n type: integer\n name:\n description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.\n type: string\n protocol:\n description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".\n type: string\n required:\n - containerPort\n type: object\n type: array\n readinessProbe:\n description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n resources:\n description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n properties:\n limits:\n additionalProperties:\n type: string\n description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n type: object\n requests:\n additionalProperties:\n type: string\n description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n type: object\n type: object\n securityContext:\n description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'\n properties:\n allowPrivilegeEscalation:\n description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN'\n type: boolean\n capabilities:\n description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.\n properties:\n add:\n description: Added capabilities\n items:\n description: Capability represent POSIX capabilities type\n type: string\n type: array\n drop:\n description: Removed capabilities\n items:\n description: Capability represent POSIX capabilities type\n type: string\n type: array\n type: object\n privileged:\n description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.\n type: boolean\n procMount:\n description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.\n type: string\n readOnlyRootFilesystem:\n description: Whether this container has a read-only root filesystem. Default is false.\n type: boolean\n runAsGroup:\n description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n format: int64\n type: integer\n runAsNonRoot:\n description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n type: boolean\n runAsUser:\n description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n format: int64\n type: integer\n seLinuxOptions:\n description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n level:\n description: Level is SELinux level label that applies to the container.\n type: string\n role:\n description: Role is a SELinux role label that applies to the container.\n type: string\n type:\n description: Type is a SELinux type label that applies to the container.\n type: string\n user:\n description: User is a SELinux user label that applies to the container.\n type: string\n type: object\n windowsOptions:\n description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n gmsaCredentialSpec:\n description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n gmsaCredentialSpecName:\n description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n runAsUserName:\n description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.\n type: string\n type: object\n type: object\n startupProbe:\n description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n stdin:\n description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.\n type: boolean\n stdinOnce:\n description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false\n type: boolean\n terminationMessagePath:\n description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.'\n type: string\n terminationMessagePolicy:\n description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n type: string\n tty:\n description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.\n type: boolean\n volumeDevices:\n description: volumeDevices is the list of block devices to be used by the container. This is a beta feature.\n items:\n description: volumeDevice describes a mapping of a raw block device within a container.\n properties:\n devicePath:\n description: devicePath is the path inside of the container that the device will be mapped to.\n type: string\n name:\n description: name must match the name of a persistentVolumeClaim in the pod\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n description: Pod volumes to mount into the container's filesystem. Cannot be updated.\n items:\n description: VolumeMount describes a mounting of a Volume within a container.\n properties:\n mountPath:\n description: Path within the container at which the volume should be mounted. Must not contain ':'.\n type: string\n mountPropagation:\n description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.\n type: string\n name:\n description: This must match the Name of a Volume.\n type: string\n readOnly:\n description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.\n type: boolean\n subPath:\n description: Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).\n type: string\n subPathExpr:\n description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15.\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.\n type: string\n required:\n - name\n type: object\n type: array\n dnsConfig:\n description: Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.\n properties:\n nameservers:\n description: A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.\n items:\n type: string\n type: array\n options:\n description: A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.\n items:\n description: PodDNSConfigOption defines DNS resolver options of a pod.\n properties:\n name:\n description: Required.\n type: string\n value:\n type: string\n type: object\n type: array\n searches:\n description: A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.\n items:\n type: string\n type: array\n type: object\n dnsPolicy:\n description: Set DNS policy for the pod. Defaults to \"ClusterFirst\". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.\n type: string\n enableServiceLinks:\n description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.'\n type: boolean\n ephemeralContainers:\n description: List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.\n items:\n description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag.\n properties:\n args:\n description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'\n items:\n type: string\n type: array\n command:\n description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'\n items:\n type: string\n type: array\n env:\n description: List of environment variables to set in the container. Cannot be updated.\n items:\n description: EnvVar represents an environment variable present in a Container.\n properties:\n name:\n description: Name of the environment variable. Must be a C_IDENTIFIER.\n type: string\n value:\n description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".'\n type: string\n valueFrom:\n description: Source for the environment variable's value. Cannot be used if value is not empty.\n properties:\n configMapKeyRef:\n description: Selects a key of a ConfigMap.\n properties:\n key:\n description: The key to select.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap or its key must be defined\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.'\n properties:\n apiVersion:\n description: Version of the schema the FieldPath is written in terms of, defaults to \"v1\".\n type: string\n fieldPath:\n description: Path of the field to select in the specified API version.\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'\n properties:\n containerName:\n description: 'Container name: required for volumes, optional for env vars'\n type: string\n divisor:\n description: Specifies the output format of the exposed resources, defaults to \"1\"\n type: string\n resource:\n description: 'Required: resource to select'\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n description: Selects a key of a secret in the pod's namespace\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret or its key must be defined\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.\n items:\n description: EnvFromSource represents the source of a set of ConfigMaps\n properties:\n configMapRef:\n description: The ConfigMap to select from\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap must be defined\n type: boolean\n type: object\n prefix:\n description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.\n type: string\n secretRef:\n description: The Secret to select from\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret must be defined\n type: boolean\n type: object\n type: object\n type: array\n image:\n description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images'\n type: string\n imagePullPolicy:\n description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'\n type: string\n lifecycle:\n description: Lifecycle is not allowed for ephemeral containers.\n properties:\n postStart:\n description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n type: object\n preStop:\n description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n description: Probes are not allowed for ephemeral containers.\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n name:\n description: Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.\n type: string\n ports:\n description: Ports are not allowed for ephemeral containers.\n items:\n description: ContainerPort represents a network port in a single container.\n properties:\n containerPort:\n description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.\n format: int32\n type: integer\n hostIP:\n description: What host IP to bind the external port to.\n type: string\n hostPort:\n description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.\n format: int32\n type: integer\n name:\n description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.\n type: string\n protocol:\n description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".\n type: string\n required:\n - containerPort\n type: object\n type: array\n readinessProbe:\n description: Probes are not allowed for ephemeral containers.\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n resources:\n description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.\n properties:\n limits:\n additionalProperties:\n type: string\n description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n type: object\n requests:\n additionalProperties:\n type: string\n description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n type: object\n type: object\n securityContext:\n description: SecurityContext is not allowed for ephemeral containers.\n properties:\n allowPrivilegeEscalation:\n description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN'\n type: boolean\n capabilities:\n description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.\n properties:\n add:\n description: Added capabilities\n items:\n description: Capability represent POSIX capabilities type\n type: string\n type: array\n drop:\n description: Removed capabilities\n items:\n description: Capability represent POSIX capabilities type\n type: string\n type: array\n type: object\n privileged:\n description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.\n type: boolean\n procMount:\n description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.\n type: string\n readOnlyRootFilesystem:\n description: Whether this container has a read-only root filesystem. Default is false.\n type: boolean\n runAsGroup:\n description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n format: int64\n type: integer\n runAsNonRoot:\n description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n type: boolean\n runAsUser:\n description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n format: int64\n type: integer\n seLinuxOptions:\n description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n level:\n description: Level is SELinux level label that applies to the container.\n type: string\n role:\n description: Role is a SELinux role label that applies to the container.\n type: string\n type:\n description: Type is a SELinux type label that applies to the container.\n type: string\n user:\n description: User is a SELinux user label that applies to the container.\n type: string\n type: object\n windowsOptions:\n description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n gmsaCredentialSpec:\n description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n gmsaCredentialSpecName:\n description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n runAsUserName:\n description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.\n type: string\n type: object\n type: object\n startupProbe:\n description: Probes are not allowed for ephemeral containers.\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n stdin:\n description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.\n type: boolean\n stdinOnce:\n description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false\n type: boolean\n targetContainerName:\n description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature.\n type: string\n terminationMessagePath:\n description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.'\n type: string\n terminationMessagePolicy:\n description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n type: string\n tty:\n description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.\n type: boolean\n volumeDevices:\n description: volumeDevices is the list of block devices to be used by the container. This is a beta feature.\n items:\n description: volumeDevice describes a mapping of a raw block device within a container.\n properties:\n devicePath:\n description: devicePath is the path inside of the container that the device will be mapped to.\n type: string\n name:\n description: name must match the name of a persistentVolumeClaim in the pod\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n description: Pod volumes to mount into the container's filesystem. Cannot be updated.\n items:\n description: VolumeMount describes a mounting of a Volume within a container.\n properties:\n mountPath:\n description: Path within the container at which the volume should be mounted. Must not contain ':'.\n type: string\n mountPropagation:\n description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.\n type: string\n name:\n description: This must match the Name of a Volume.\n type: string\n readOnly:\n description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.\n type: boolean\n subPath:\n description: Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).\n type: string\n subPathExpr:\n description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15.\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.\n type: string\n required:\n - name\n type: object\n type: array\n hostAliases:\n description: HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.\n items:\n description: HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.\n properties:\n hostnames:\n description: Hostnames for the above IP address.\n items:\n type: string\n type: array\n ip:\n description: IP address of the host file entry.\n type: string\n type: object\n type: array\n hostIPC:\n description: 'Use the host''s ipc namespace. Optional: Default to false.'\n type: boolean\n hostNetwork:\n description: Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.\n type: boolean\n hostPID:\n description: 'Use the host''s pid namespace. Optional: Default to false.'\n type: boolean\n hostname:\n description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.\n type: string\n imagePullSecrets:\n description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'\n items:\n description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n type: array\n initContainers:\n description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/'\n items:\n description: A single application container that you want to run within a pod.\n properties:\n args:\n description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'\n items:\n type: string\n type: array\n command:\n description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'\n items:\n type: string\n type: array\n env:\n description: List of environment variables to set in the container. Cannot be updated.\n items:\n description: EnvVar represents an environment variable present in a Container.\n properties:\n name:\n description: Name of the environment variable. Must be a C_IDENTIFIER.\n type: string\n value:\n description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".'\n type: string\n valueFrom:\n description: Source for the environment variable's value. Cannot be used if value is not empty.\n properties:\n configMapKeyRef:\n description: Selects a key of a ConfigMap.\n properties:\n key:\n description: The key to select.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap or its key must be defined\n type: boolean\n required:\n - key\n type: object\n fieldRef:\n description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.'\n properties:\n apiVersion:\n description: Version of the schema the FieldPath is written in terms of, defaults to \"v1\".\n type: string\n fieldPath:\n description: Path of the field to select in the specified API version.\n type: string\n required:\n - fieldPath\n type: object\n resourceFieldRef:\n description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'\n properties:\n containerName:\n description: 'Container name: required for volumes, optional for env vars'\n type: string\n divisor:\n description: Specifies the output format of the exposed resources, defaults to \"1\"\n type: string\n resource:\n description: 'Required: resource to select'\n type: string\n required:\n - resource\n type: object\n secretKeyRef:\n description: Selects a key of a secret in the pod's namespace\n properties:\n key:\n description: The key of the secret to select from. Must be a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret or its key must be defined\n type: boolean\n required:\n - key\n type: object\n type: object\n required:\n - name\n type: object\n type: array\n envFrom:\n description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.\n items:\n description: EnvFromSource represents the source of a set of ConfigMaps\n properties:\n configMapRef:\n description: The ConfigMap to select from\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap must be defined\n type: boolean\n type: object\n prefix:\n description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.\n type: string\n secretRef:\n description: The Secret to select from\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret must be defined\n type: boolean\n type: object\n type: object\n type: array\n image:\n description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.'\n type: string\n imagePullPolicy:\n description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'\n type: string\n lifecycle:\n description: Actions that the management system should take in response to container lifecycle events. Cannot be updated.\n properties:\n postStart:\n description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n type: object\n preStop:\n description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n type: object\n type: object\n livenessProbe:\n description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n name:\n description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.\n type: string\n ports:\n description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default \"0.0.0.0\" address inside a container will be accessible from the network. Cannot be updated.\n items:\n description: ContainerPort represents a network port in a single container.\n properties:\n containerPort:\n description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.\n format: int32\n type: integer\n hostIP:\n description: What host IP to bind the external port to.\n type: string\n hostPort:\n description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.\n format: int32\n type: integer\n name:\n description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.\n type: string\n protocol:\n description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".\n type: string\n required:\n - containerPort\n type: object\n type: array\n readinessProbe:\n description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n resources:\n description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n properties:\n limits:\n additionalProperties:\n type: string\n description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n type: object\n requests:\n additionalProperties:\n type: string\n description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'\n type: object\n type: object\n securityContext:\n description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'\n properties:\n allowPrivilegeEscalation:\n description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN'\n type: boolean\n capabilities:\n description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.\n properties:\n add:\n description: Added capabilities\n items:\n description: Capability represent POSIX capabilities type\n type: string\n type: array\n drop:\n description: Removed capabilities\n items:\n description: Capability represent POSIX capabilities type\n type: string\n type: array\n type: object\n privileged:\n description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.\n type: boolean\n procMount:\n description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.\n type: string\n readOnlyRootFilesystem:\n description: Whether this container has a read-only root filesystem. Default is false.\n type: boolean\n runAsGroup:\n description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n format: int64\n type: integer\n runAsNonRoot:\n description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n type: boolean\n runAsUser:\n description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n format: int64\n type: integer\n seLinuxOptions:\n description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n level:\n description: Level is SELinux level label that applies to the container.\n type: string\n role:\n description: Role is a SELinux role label that applies to the container.\n type: string\n type:\n description: Type is a SELinux type label that applies to the container.\n type: string\n user:\n description: User is a SELinux user label that applies to the container.\n type: string\n type: object\n windowsOptions:\n description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n gmsaCredentialSpec:\n description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n gmsaCredentialSpecName:\n description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n runAsUserName:\n description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.\n type: string\n type: object\n type: object\n startupProbe:\n description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n properties:\n exec:\n description: One and only one of the following should be specified. Exec specifies the action to take.\n properties:\n command:\n description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.\n items:\n type: string\n type: array\n type: object\n failureThreshold:\n description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.\n format: int32\n type: integer\n httpGet:\n description: HTTPGet specifies the http request to perform.\n properties:\n host:\n description: Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.\n type: string\n httpHeaders:\n description: Custom headers to set in the request. HTTP allows repeated headers.\n items:\n description: HTTPHeader describes a custom header to be used in HTTP probes\n properties:\n name:\n description: The header field name\n type: string\n value:\n description: The header field value\n type: string\n required:\n - name\n - value\n type: object\n type: array\n path:\n description: Path to access on the HTTP server.\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n scheme:\n description: Scheme to use for connecting to the host. Defaults to HTTP.\n type: string\n required:\n - port\n type: object\n initialDelaySeconds:\n description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n periodSeconds:\n description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.\n format: int32\n type: integer\n successThreshold:\n description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.\n format: int32\n type: integer\n tcpSocket:\n description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'\n properties:\n host:\n description: 'Optional: Host name to connect to, defaults to the pod IP.'\n type: string\n port:\n anyOf:\n - type: string\n - type: integer\n description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.\n required:\n - port\n type: object\n timeoutSeconds:\n description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'\n format: int32\n type: integer\n type: object\n stdin:\n description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.\n type: boolean\n stdinOnce:\n description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false\n type: boolean\n terminationMessagePath:\n description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.'\n type: string\n terminationMessagePolicy:\n description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n type: string\n tty:\n description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.\n type: boolean\n volumeDevices:\n description: volumeDevices is the list of block devices to be used by the container. This is a beta feature.\n items:\n description: volumeDevice describes a mapping of a raw block device within a container.\n properties:\n devicePath:\n description: devicePath is the path inside of the container that the device will be mapped to.\n type: string\n name:\n description: name must match the name of a persistentVolumeClaim in the pod\n type: string\n required:\n - devicePath\n - name\n type: object\n type: array\n volumeMounts:\n description: Pod volumes to mount into the container's filesystem. Cannot be updated.\n items:\n description: VolumeMount describes a mounting of a Volume within a container.\n properties:\n mountPath:\n description: Path within the container at which the volume should be mounted. Must not contain ':'.\n type: string\n mountPropagation:\n description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.\n type: string\n name:\n description: This must match the Name of a Volume.\n type: string\n readOnly:\n description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.\n type: boolean\n subPath:\n description: Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).\n type: string\n subPathExpr:\n description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15.\n type: string\n required:\n - mountPath\n - name\n type: object\n type: array\n workingDir:\n description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.\n type: string\n required:\n - name\n type: object\n type: array\n nodeName:\n description: NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.\n type: string\n nodeSelector:\n additionalProperties:\n type: string\n description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'\n type: object\n overhead:\n additionalProperties:\n type: string\n description: 'Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.'\n type: object\n preemptionPolicy:\n description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature.\n type: string\n priority:\n description: The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.\n format: int32\n type: integer\n priorityClassName:\n description: If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.\n type: string\n readinessGates:\n description: 'If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to \"True\" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md'\n items:\n description: PodReadinessGate contains the reference to a pod condition\n properties:\n conditionType:\n description: ConditionType refers to a condition in the pod's condition list with matching type.\n type: string\n required:\n - conditionType\n type: object\n type: array\n restartPolicy:\n description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy'\n type: string\n runtimeClassName:\n description: 'RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the \"legacy\" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.'\n type: string\n schedulerName:\n description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.\n type: string\n securityContext:\n description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.'\n properties:\n fsGroup:\n description: \"A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \\n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \\n If unset, the Kubelet will not modify the ownership and permissions of any volume.\"\n format: int64\n type: integer\n runAsGroup:\n description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.\n format: int64\n type: integer\n runAsNonRoot:\n description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n type: boolean\n runAsUser:\n description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.\n format: int64\n type: integer\n seLinuxOptions:\n description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.\n properties:\n level:\n description: Level is SELinux level label that applies to the container.\n type: string\n role:\n description: Role is a SELinux role label that applies to the container.\n type: string\n type:\n description: Type is a SELinux type label that applies to the container.\n type: string\n user:\n description: User is a SELinux user label that applies to the container.\n type: string\n type: object\n supplementalGroups:\n description: A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.\n items:\n format: int64\n type: integer\n type: array\n sysctls:\n description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.\n items:\n description: Sysctl defines a kernel parameter to be set\n properties:\n name:\n description: Name of a property to set\n type: string\n value:\n description: Value of a property to set\n type: string\n required:\n - name\n - value\n type: object\n type: array\n windowsOptions:\n description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\n properties:\n gmsaCredentialSpec:\n description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n gmsaCredentialSpecName:\n description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.\n type: string\n runAsUserName:\n description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.\n type: string\n type: object\n type: object\n serviceAccount:\n description: 'DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.'\n type: string\n serviceAccountName:\n description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/'\n type: string\n shareProcessNamespace:\n description: 'Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. This field is beta-level and may be disabled with the PodShareProcessNamespace feature.'\n type: boolean\n subdomain:\n description: If specified, the fully qualified Pod hostname will be \"...svc.\". If not specified, the pod will not have a domainname at all.\n type: string\n terminationGracePeriodSeconds:\n description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.\n format: int64\n type: integer\n tolerations:\n description: If specified, the pod's tolerations.\n items:\n description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .\n properties:\n effect:\n description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n type: string\n key:\n description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.\n type: string\n operator:\n description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n type: string\n tolerationSeconds:\n description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.\n format: int64\n type: integer\n value:\n description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.\n type: string\n type: object\n type: array\n topologySpreadConstraints:\n description: TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread feature. All topologySpreadConstraints are ANDed.\n items:\n description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.\n properties:\n labelSelector:\n description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\n properties:\n key:\n description: key is the label key that the selector applies to.\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.\n type: object\n type: object\n maxSkew:\n description: 'MaxSkew describes the degree to which pods may be unevenly distributed. It''s the maximum permitted difference between the number of matching pods in any two topology domains of a given topology type. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. It''s a required field. Default value is 1 and 0 is not allowed.'\n format: int32\n type: integer\n topologyKey:\n description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a \"bucket\", and try to put balanced number of pods into each bucket. It's a required field.\n type: string\n whenUnsatisfiable:\n description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it - ScheduleAnyway tells the scheduler to still schedule it It''s considered as \"Unsatisfiable\" if and only if placing incoming pod on any topology violates \"MaxSkew\". For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.'\n type: string\n required:\n - maxSkew\n - topologyKey\n - whenUnsatisfiable\n type: object\n type: array\n volumes:\n description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes'\n items:\n description: Volume represents a named volume in a pod that may be accessed by any container in the pod.\n properties:\n awsElasticBlockStore:\n description: 'AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'\n properties:\n fsType:\n description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine'\n type: string\n partition:\n description: 'The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).'\n format: int32\n type: integer\n readOnly:\n description: 'Specify \"true\" to force and set the ReadOnly property in VolumeMounts to \"true\". If omitted, the default is \"false\". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'\n type: boolean\n volumeID:\n description: 'Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'\n type: string\n required:\n - volumeID\n type: object\n azureDisk:\n description: AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.\n properties:\n cachingMode:\n description: 'Host Caching mode: None, Read Only, Read Write.'\n type: string\n diskName:\n description: The Name of the data disk in the blob storage\n type: string\n diskURI:\n description: The URI the data disk in the blob storage\n type: string\n fsType:\n description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\n type: string\n kind:\n description: 'Expected values Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'\n type: string\n readOnly:\n description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.\n type: boolean\n required:\n - diskName\n - diskURI\n type: object\n azureFile:\n description: AzureFile represents an Azure File Service mount on the host and bind mount to the pod.\n properties:\n readOnly:\n description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.\n type: boolean\n secretName:\n description: the name of secret that contains Azure Storage Account Name and Key\n type: string\n shareName:\n description: Share Name\n type: string\n required:\n - secretName\n - shareName\n type: object\n cephfs:\n description: CephFS represents a Ceph FS mount on the host that shares a pod's lifetime\n properties:\n monitors:\n description: 'Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'\n items:\n type: string\n type: array\n path:\n description: 'Optional: Used as the mounted root, rather than the full Ceph tree, default is /'\n type: string\n readOnly:\n description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'\n type: boolean\n secretFile:\n description: 'Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'\n type: string\n secretRef:\n description: 'Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n user:\n description: 'Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'\n type: string\n required:\n - monitors\n type: object\n cinder:\n description: 'Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'\n properties:\n fsType:\n description: 'Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'\n type: string\n readOnly:\n description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'\n type: boolean\n secretRef:\n description: 'Optional: points to a secret object containing parameters used to connect to OpenStack.'\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n volumeID:\n description: 'volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'\n type: string\n required:\n - volumeID\n type: object\n configMap:\n description: ConfigMap represents a configMap that should populate this volume\n properties:\n defaultMode:\n description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n items:\n description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.\n items:\n description: Maps a string key to a path within a volume.\n properties:\n key:\n description: The key to project.\n type: string\n mode:\n description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n path:\n description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap or its keys must be defined\n type: boolean\n type: object\n csi:\n description: CSI (Container Storage Interface) represents storage that is handled by an external CSI driver (Alpha feature).\n properties:\n driver:\n description: Driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.\n type: string\n fsType:\n description: Filesystem type to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.\n type: string\n nodePublishSecretRef:\n description: NodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n readOnly:\n description: Specifies a read-only configuration for the volume. Defaults to false (read/write).\n type: boolean\n volumeAttributes:\n additionalProperties:\n type: string\n description: VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.\n type: object\n required:\n - driver\n type: object\n downwardAPI:\n description: DownwardAPI represents downward API about the pod that should populate this volume\n properties:\n defaultMode:\n description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n items:\n description: Items is a list of downward API volume file\n items:\n description: DownwardAPIVolumeFile represents information to create the file containing the pod field\n properties:\n fieldRef:\n description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'\n properties:\n apiVersion:\n description: Version of the schema the FieldPath is written in terms of, defaults to \"v1\".\n type: string\n fieldPath:\n description: Path of the field to select in the specified API version.\n type: string\n required:\n - fieldPath\n type: object\n mode:\n description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n path:\n description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''\n type: string\n resourceFieldRef:\n description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.'\n properties:\n containerName:\n description: 'Container name: required for volumes, optional for env vars'\n type: string\n divisor:\n description: Specifies the output format of the exposed resources, defaults to \"1\"\n type: string\n resource:\n description: 'Required: resource to select'\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n emptyDir:\n description: 'EmptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'\n properties:\n medium:\n description: 'What type of storage medium should back this directory. The default is \"\" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'\n type: string\n sizeLimit:\n description: 'Total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir'\n type: string\n type: object\n fc:\n description: FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.\n properties:\n fsType:\n description: 'Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine'\n type: string\n lun:\n description: 'Optional: FC target lun number'\n format: int32\n type: integer\n readOnly:\n description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.'\n type: boolean\n targetWWNs:\n description: 'Optional: FC target worldwide names (WWNs)'\n items:\n type: string\n type: array\n wwids:\n description: 'Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.'\n items:\n type: string\n type: array\n type: object\n flexVolume:\n description: FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.\n properties:\n driver:\n description: Driver is the name of the driver to use for this volume.\n type: string\n fsType:\n description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.\n type: string\n options:\n additionalProperties:\n type: string\n description: 'Optional: Extra command options if any.'\n type: object\n readOnly:\n description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.'\n type: boolean\n secretRef:\n description: 'Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.'\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n required:\n - driver\n type: object\n flocker:\n description: Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running\n properties:\n datasetName:\n description: Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated\n type: string\n datasetUUID:\n description: UUID of the dataset. This is unique identifier of a Flocker dataset\n type: string\n type: object\n gcePersistentDisk:\n description: 'GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'\n properties:\n fsType:\n description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine'\n type: string\n partition:\n description: 'The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'\n format: int32\n type: integer\n pdName:\n description: 'Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'\n type: string\n readOnly:\n description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'\n type: boolean\n required:\n - pdName\n type: object\n gitRepo:\n description: 'GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.'\n properties:\n directory:\n description: Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.\n type: string\n repository:\n description: Repository URL\n type: string\n revision:\n description: Commit hash for the specified revision.\n type: string\n required:\n - repository\n type: object\n glusterfs:\n description: 'Glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md'\n properties:\n endpoints:\n description: 'EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'\n type: string\n path:\n description: 'Path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'\n type: string\n readOnly:\n description: 'ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'\n type: boolean\n required:\n - endpoints\n - path\n type: object\n hostPath:\n description: 'HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.'\n properties:\n path:\n description: 'Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'\n type: string\n type:\n description: 'Type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'\n type: string\n required:\n - path\n type: object\n iscsi:\n description: 'ISCSI represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md'\n properties:\n chapAuthDiscovery:\n description: whether support iSCSI Discovery CHAP authentication\n type: boolean\n chapAuthSession:\n description: whether support iSCSI Session CHAP authentication\n type: boolean\n fsType:\n description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine'\n type: string\n initiatorName:\n description: Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.\n type: string\n iqn:\n description: Target iSCSI Qualified Name.\n type: string\n iscsiInterface:\n description: iSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).\n type: string\n lun:\n description: iSCSI Target Lun number.\n format: int32\n type: integer\n portals:\n description: iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).\n items:\n type: string\n type: array\n readOnly:\n description: ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.\n type: boolean\n secretRef:\n description: CHAP Secret for iSCSI target and initiator authentication\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n targetPortal:\n description: iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).\n type: string\n required:\n - iqn\n - lun\n - targetPortal\n type: object\n name:\n description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'\n type: string\n nfs:\n description: 'NFS represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'\n properties:\n path:\n description: 'Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'\n type: string\n readOnly:\n description: 'ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'\n type: boolean\n server:\n description: 'Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'\n type: string\n required:\n - path\n - server\n type: object\n persistentVolumeClaim:\n description: 'PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'\n properties:\n claimName:\n description: 'ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'\n type: string\n readOnly:\n description: Will force the ReadOnly setting in VolumeMounts. Default false.\n type: boolean\n required:\n - claimName\n type: object\n photonPersistentDisk:\n description: PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine\n properties:\n fsType:\n description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\n type: string\n pdID:\n description: ID that identifies Photon Controller persistent disk\n type: string\n required:\n - pdID\n type: object\n portworxVolume:\n description: PortworxVolume represents a portworx volume attached and mounted on kubelets host machine\n properties:\n fsType:\n description: FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.\n type: string\n readOnly:\n description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.\n type: boolean\n volumeID:\n description: VolumeID uniquely identifies a Portworx volume\n type: string\n required:\n - volumeID\n type: object\n projected:\n description: Items for all in one resources secrets, configmaps, and downward API\n properties:\n defaultMode:\n description: Mode bits to use on created files by default. Must be a value between 0 and 0777. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.\n format: int32\n type: integer\n sources:\n description: list of volume projections\n items:\n description: Projection that may be projected along with other supported volume types\n properties:\n configMap:\n description: information about the configMap data to project\n properties:\n items:\n description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.\n items:\n description: Maps a string key to a path within a volume.\n properties:\n key:\n description: The key to project.\n type: string\n mode:\n description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n path:\n description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the ConfigMap or its keys must be defined\n type: boolean\n type: object\n downwardAPI:\n description: information about the downwardAPI data to project\n properties:\n items:\n description: Items is a list of DownwardAPIVolume file\n items:\n description: DownwardAPIVolumeFile represents information to create the file containing the pod field\n properties:\n fieldRef:\n description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'\n properties:\n apiVersion:\n description: Version of the schema the FieldPath is written in terms of, defaults to \"v1\".\n type: string\n fieldPath:\n description: Path of the field to select in the specified API version.\n type: string\n required:\n - fieldPath\n type: object\n mode:\n description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n path:\n description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''\n type: string\n resourceFieldRef:\n description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.'\n properties:\n containerName:\n description: 'Container name: required for volumes, optional for env vars'\n type: string\n divisor:\n description: Specifies the output format of the exposed resources, defaults to \"1\"\n type: string\n resource:\n description: 'Required: resource to select'\n type: string\n required:\n - resource\n type: object\n required:\n - path\n type: object\n type: array\n type: object\n secret:\n description: information about the secret data to project\n properties:\n items:\n description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.\n items:\n description: Maps a string key to a path within a volume.\n properties:\n key:\n description: The key to project.\n type: string\n mode:\n description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n path:\n description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.\n type: string\n required:\n - key\n - path\n type: object\n type: array\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret or its key must be defined\n type: boolean\n type: object\n serviceAccountToken:\n description: information about the serviceAccountToken data to project\n properties:\n audience:\n description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.\n type: string\n expirationSeconds:\n description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.\n format: int64\n type: integer\n path:\n description: Path is the path relative to the mount point of the file to project the token into.\n type: string\n required:\n - path\n type: object\n type: object\n type: array\n required:\n - sources\n type: object\n quobyte:\n description: Quobyte represents a Quobyte mount on the host that shares a pod's lifetime\n properties:\n group:\n description: Group to map volume access to Default is no group\n type: string\n readOnly:\n description: ReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.\n type: boolean\n registry:\n description: Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes\n type: string\n tenant:\n description: Tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin\n type: string\n user:\n description: User to map volume access to Defaults to serivceaccount user\n type: string\n volume:\n description: Volume is a string that references an already created Quobyte volume by name.\n type: string\n required:\n - registry\n - volume\n type: object\n rbd:\n description: 'RBD represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md'\n properties:\n fsType:\n description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine'\n type: string\n image:\n description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n type: string\n keyring:\n description: 'Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n type: string\n monitors:\n description: 'A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n items:\n type: string\n type: array\n pool:\n description: 'The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n type: string\n readOnly:\n description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n type: boolean\n secretRef:\n description: 'SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n user:\n description: 'The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'\n type: string\n required:\n - image\n - monitors\n type: object\n scaleIO:\n description: ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.\n properties:\n fsType:\n description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\".\n type: string\n gateway:\n description: The host address of the ScaleIO API Gateway.\n type: string\n protectionDomain:\n description: The name of the ScaleIO Protection Domain for the configured storage.\n type: string\n readOnly:\n description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.\n type: boolean\n secretRef:\n description: SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n sslEnabled:\n description: Flag to enable/disable SSL communication with Gateway, default false\n type: boolean\n storageMode:\n description: Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.\n type: string\n storagePool:\n description: The ScaleIO Storage Pool associated with the protection domain.\n type: string\n system:\n description: The name of the storage system as configured in ScaleIO.\n type: string\n volumeName:\n description: The name of a volume already created in the ScaleIO system that is associated with this volume source.\n type: string\n required:\n - gateway\n - secretRef\n - system\n type: object\n secret:\n description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'\n properties:\n defaultMode:\n description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n items:\n description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.\n items:\n description: Maps a string key to a path within a volume.\n properties:\n key:\n description: The key to project.\n type: string\n mode:\n description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'\n format: int32\n type: integer\n path:\n description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.\n type: string\n required:\n - key\n - path\n type: object\n type: array\n optional:\n description: Specify whether the Secret or its keys must be defined\n type: boolean\n secretName:\n description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'\n type: string\n type: object\n storageos:\n description: StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.\n properties:\n fsType:\n description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\n type: string\n readOnly:\n description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.\n type: boolean\n secretRef:\n description: SecretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.\n properties:\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n type: object\n volumeName:\n description: VolumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.\n type: string\n volumeNamespace:\n description: VolumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.\n type: string\n type: object\n vsphereVolume:\n description: VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine\n properties:\n fsType:\n description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.\n type: string\n storagePolicyID:\n description: Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.\n type: string\n storagePolicyName:\n description: Storage Policy Based Management (SPBM) profile name.\n type: string\n volumePath:\n description: Path that identifies vSphere volume vmdk\n type: string\n required:\n - volumePath\n type: object\n required:\n - name\n type: object\n type: array\n required:\n - containers\n type: object\n type: object\n type: object\n type: object\n required:\n - xgbReplicaSpecs\n type: object\n status:\n description: XGBoostJobStatus defines the observed state of XGBoostJob\n properties:\n completionTime:\n description: Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.\n format: date-time\n type: string\n conditions:\n description: Conditions is an array of current observed job conditions.\n items:\n description: JobCondition describes the state of the job at a certain point.\n properties:\n lastTransitionTime:\n description: Last time the condition transitioned from one status to another.\n format: date-time\n type: string\n lastUpdateTime:\n description: The last time this condition was updated.\n format: date-time\n type: string\n message:\n description: A human readable message indicating details about the transition.\n type: string\n reason:\n description: The reason for the condition's last transition.\n type: string\n status:\n description: Status of the condition, one of True, False, Unknown.\n type: string\n type:\n description: Type of job condition.\n type: string\n required:\n - status\n - type\n type: object\n type: array\n lastReconcileTime:\n description: Represents last time when the job was reconciled. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.\n format: date-time\n type: string\n replicaStatuses:\n additionalProperties:\n description: ReplicaStatus represents the current observed state of the replica.\n properties:\n active:\n description: The number of actively running pods.\n format: int32\n type: integer\n failed:\n description: The number of pods which reached phase Failed.\n format: int32\n type: integer\n succeeded:\n description: The number of pods which reached phase Succeeded.\n format: int32\n type: integer\n type: object\n description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, specifies the status of each replica.\n type: object\n startTime:\n description: Represents time when the job was acknowledged by the job controller. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.\n format: date-time\n type: string\n required:\n - conditions\n - replicaStatuses\n type: object\n type: object\n version: v1\n versions:\n - name: v1\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n labels:\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboost-operator-service-account\n namespace: kubeflow\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboost-operator-cluster-role\nrules:\n- apiGroups:\n - apps\n resources:\n - deployments\n - deployments/status\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - xgboostjob.kubeflow.org\n resources:\n - xgboostjobs\n - xgboostjobs/status\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - admissionregistration.k8s.io\n resources:\n - mutatingwebhookconfigurations\n - validatingwebhookconfigurations\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n - endpoints\n - events\n - namespaces\n - persistentvolumeclaims\n - pods\n - secrets\n - services\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n- apiGroups:\n - storage.k8s.io\n resources:\n - storageclasses\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n labels:\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboost-operator-cluster-role-binding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: xgboost-operator-cluster-role\nsubjects:\n- kind: ServiceAccount\n name: xgboost-operator-service-account\n namespace: kubeflow\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboost-operator-xgboost-operator-config-6ct58987ht\n namespace: kubeflow\n---\napiVersion: v1\nkind: Service\nmetadata:\n annotations:\n prometheus.io/path: /metrics\n prometheus.io/port: \"8080\"\n prometheus.io/scrape: \"true\"\n labels:\n app: xgboost-operator\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboost-operator-service\n namespace: kubeflow\nspec:\n ports:\n - port: 443\n selector:\n app: xgboost-operator\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n type: ClusterIP\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n name: xgboost-operator-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: xgboost-operator\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n template:\n metadata:\n labels:\n app: xgboost-operator\n app.kubernetes.io/component: xgboostjob\n app.kubernetes.io/name: xgboost-operator\n spec:\n containers:\n - command:\n - /root/manager\n - -mode=in-cluster\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-xgboost-operator:v0.2.0-c368f\n imagePullPolicy: Always\n name: xgboost-operator\n serviceAccountName: xgboost-operator-service-account\n"
},
{
"path": "manifest1.3/033-user-namespace-user-namespace-base.yaml",
"content": "apiVersion: v1\ndata:\n profile-name: kubeflow-user-example-com\n user: user@example.com\nkind: ConfigMap\nmetadata:\n name: default-install-config-9h2h2b6hbk\n---\napiVersion: kubeflow.org/v1beta1\nkind: Profile\nmetadata:\n name: kubeflow-user-example-com\nspec:\n owner:\n kind: User\n name: user@example.com\n"
},
{
"path": "patch/auth.yaml",
"content": "apiVersion: v1\ndata:\n config.yaml: |\n issuer: http://dex.auth.svc.cluster.local:5556/dex\n storage:\n type: kubernetes\n config:\n inCluster: true\n web:\n http: 0.0.0.0:5556\n logger:\n level: \"debug\"\n format: text\n oauth2:\n skipApprovalScreen: true\n enablePasswordDB: true\n staticPasswords:\n - email: \"admin@example.com\"\n # hash string is \"password\"\n hash: \"$2y$12$X.oNHMsIfRSq35eRfiTYV.dPIYlWyPDRRc1.JVp0f3c.YqqJNW4uK\"\n username: \"admin\"\n userID: \"08a8684b-db88-4b73-90a9-3cd1661f5466\"\n staticClients:\n # https://github.com/dexidp/dex/pull/1664\n - idEnv: OIDC_CLIENT_ID\n redirectURIs: [\"/login/oidc\"]\n name: 'Dex Login Application'\n secretEnv: OIDC_CLIENT_SECRET\nkind: ConfigMap\nmetadata:\n name: dex\n namespace: auth\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: dex\n name: dex\n namespace: auth\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: dex\n template:\n metadata:\n labels:\n app: dex\n spec:\n containers:\n - command:\n - dex\n - serve\n - /etc/dex/cfg/config.yaml\n envFrom:\n - secretRef:\n name: dex-oidc-client\n env:\n - name: KUBERNETES_POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/dexidp-dex:v2.24.0-bb0b9\n name: dex\n ports:\n - containerPort: 5556\n name: http\n volumeMounts:\n - mountPath: /etc/dex/cfg\n name: config\n serviceAccountName: dex\n volumes:\n - configMap:\n items:\n - key: config.yaml\n path: config.yaml\n name: dex\n name: config\n---\napiVersion: v1\ndata:\n profile-name: kubeflow-user-example-com\n user: admin@example.com\nkind: ConfigMap\nmetadata:\n name: default-install-config-9h2h2b6hbk\n---\napiVersion: kubeflow.org/v1beta1\nkind: Profile\nmetadata:\n name: kubeflow-user-example-com\nspec:\n owner:\n kind: User\n name: admin@example.com\n"
},
{
"path": "patch/cluster-local-gateway.yaml",
"content": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cluster-local-gateway\n install.operator.istio.io/owning-resource: unknown\n istio: cluster-local-gateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: cluster-local-gateway\n namespace: istio-system\nspec:\n selector:\n matchLabels:\n app: cluster-local-gateway\n istio: cluster-local-gateway\n strategy:\n rollingUpdate:\n maxSurge: 100%\n maxUnavailable: 25%\n template:\n metadata:\n annotations:\n prometheus.io/path: /stats/prometheus\n prometheus.io/port: \"15020\"\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: cluster-local-gateway\n chart: gateways\n heritage: Tiller\n install.operator.istio.io/owning-resource: unknown\n istio: cluster-local-gateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n service.istio.io/canonical-name: cluster-local-gateway\n service.istio.io/canonical-revision: latest\n sidecar.istio.io/inject: \"false\"\n spec:\n affinity:\n nodeAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - ppc64le\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - s390x\n weight: 2\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n - ppc64le\n - s390x\n containers:\n - args:\n - proxy\n - router\n - --domain\n - $(POD_NAMESPACE).svc.cluster.local\n - --proxyLogLevel=warning\n - --proxyComponentLogLevel=misc:error\n - --log_output_level=default:info\n - --serviceCluster\n - cluster-local-gateway\n env:\n - name: JWT_POLICY\n value: first-party-jwt\n - name: PILOT_CERT_PROVIDER\n value: istiod\n - name: CA_ADDR\n value: istiod.istio-system.svc:15012\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.podIP\n - name: HOST_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.hostIP\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n fieldPath: spec.serviceAccountName\n - name: CANONICAL_SERVICE\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-name']\n - name: CANONICAL_REVISION\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-revision']\n - name: ISTIO_META_WORKLOAD_NAME\n value: cluster-local-gateway\n - name: ISTIO_META_OWNER\n value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway\n - name: ISTIO_META_UNPRIVILEGED_POD\n value: \"true\"\n - name: ISTIO_META_ROUTER_MODE\n value: sni-dnat\n - name: ISTIO_META_CLUSTER_ID\n value: Kubernetes\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74\n name: istio-proxy\n ports:\n - containerPort: 15020\n protocol: TCP\n - containerPort: 8080\n protocol: TCP\n - containerPort: 15090\n name: http-envoy-prom\n protocol: TCP\n readinessProbe:\n failureThreshold: 30\n httpGet:\n path: /healthz/ready\n port: 15021\n scheme: HTTP\n initialDelaySeconds: 1\n periodSeconds: 2\n successThreshold: 1\n timeoutSeconds: 1\n resources:\n limits:\n cpu: 2000m\n memory: 1024Mi\n requests:\n cpu: 100m\n memory: 128Mi\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n privileged: false\n readOnlyRootFilesystem: true\n volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n - mountPath: /etc/istio/config\n name: config-volume\n - mountPath: /var/run/secrets/istio\n name: istiod-ca-cert\n - mountPath: /var/lib/istio/data\n name: istio-data\n - mountPath: /etc/istio/pod\n name: podinfo\n - mountPath: /etc/istio/ingressgateway-certs\n name: ingressgateway-certs\n readOnly: true\n - mountPath: /etc/istio/ingressgateway-ca-certs\n name: ingressgateway-ca-certs\n readOnly: true\n securityContext:\n fsGroup: 1337\n runAsGroup: 1337\n runAsNonRoot: true\n runAsUser: 1337\n serviceAccountName: cluster-local-gateway-service-account\n volumes:\n - configMap:\n name: istio-ca-root-cert\n name: istiod-ca-cert\n - downwardAPI:\n items:\n - fieldRef:\n fieldPath: metadata.labels\n path: labels\n - fieldRef:\n fieldPath: metadata.annotations\n path: annotations\n - path: cpu-limit\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: limits.cpu\n - path: cpu-request\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: requests.cpu\n name: podinfo\n - emptyDir: {}\n name: istio-envoy\n - emptyDir: {}\n name: istio-data\n - configMap:\n name: istio\n optional: true\n name: config-volume\n - name: ingressgateway-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-certs\n - name: ingressgateway-ca-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-ca-certs"
},
{
"path": "patch/data.yaml",
"content": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: minio\n application-crd-id: kubeflow-pipelines\n name: minio\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: minio\n application-crd-id: kubeflow-pipelines\n strategy:\n type: Recreate\n template:\n metadata:\n labels:\n app: minio\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - server\n - /data\n env:\n - name: MINIO_ACCESS_KEY\n valueFrom:\n secretKeyRef:\n key: accesskey\n name: mlpipeline-minio-artifact\n - name: MINIO_SECRET_KEY\n valueFrom:\n secretKeyRef:\n key: secretkey\n name: mlpipeline-minio-artifact\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-minio:RELEASE.2019-08-14T20-37-41Z-license-compliance-290a7\n name: minio\n ports:\n - containerPort: 9000\n resources:\n requests:\n cpu: 20m\n memory: 100Mi\n volumeMounts:\n - mountPath: /data\n name: data\n subPath: minio\n volumes:\n - name: data\n emptyDir:\n {}\n"
},
{
"path": "patch/envoy-filter.yaml",
"content": "---\napiVersion: networking.istio.io/v1alpha3\nkind: EnvoyFilter\nmetadata:\n name: authn-filter\n namespace: istio-system\nspec:\n configPatches:\n - applyTo: HTTP_FILTER\n listener:\n filterChain:\n filter:\n name: envoy.http_connection_manager\n subFilter:\n name: \"\"\n match:\n context: GATEWAY\n patch:\n operation: INSERT_BEFORE\n value:\n name: envoy.filters.http.ext_authz\n typed_config:\n '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz\n http_service:\n authorization_request:\n allowed_headers:\n patterns:\n - exact: authorization\n - exact: cookie\n - exact: x-auth-token\n authorization_response:\n allowed_upstream_headers:\n patterns:\n - exact: kubeflow-userid\n server_uri:\n cluster: outbound|8080||authservice.istio-system.svc.cluster.local\n timeout: 10s\n uri: http://authservice.istio-system.svc.cluster.local\n workloadSelector:\n labels:\n istio: ingressgateway"
},
{
"path": "patch/istio-ingressgateway.yaml",
"content": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: istio-ingressgateway\n install.operator.istio.io/owning-resource: unknown\n istio: ingressgateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n name: istio-ingressgateway\n namespace: istio-system\nspec:\n selector:\n matchLabels:\n app: istio-ingressgateway\n istio: ingressgateway\n strategy:\n rollingUpdate:\n maxSurge: 100%\n maxUnavailable: 25%\n template:\n metadata:\n annotations:\n prometheus.io/path: /stats/prometheus\n prometheus.io/port: \"15020\"\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n labels:\n app: istio-ingressgateway\n chart: gateways\n heritage: Tiller\n install.operator.istio.io/owning-resource: unknown\n istio: ingressgateway\n istio.io/rev: default\n operator.istio.io/component: IngressGateways\n release: istio\n service.istio.io/canonical-name: istio-ingressgateway\n service.istio.io/canonical-revision: latest\n sidecar.istio.io/inject: \"false\"\n spec:\n affinity:\n nodeAffinity:\n preferredDuringSchedulingIgnoredDuringExecution:\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - ppc64le\n weight: 2\n - preference:\n matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - s390x\n weight: 2\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/arch\n operator: In\n values:\n - amd64\n - ppc64le\n - s390x\n containers:\n - args:\n - proxy\n - router\n - --domain\n - $(POD_NAMESPACE).svc.cluster.local\n - --proxyLogLevel=warning\n - --proxyComponentLogLevel=misc:error\n - --log_output_level=default:info\n - --serviceCluster\n - istio-ingressgateway\n env:\n - name: JWT_POLICY\n value: first-party-jwt\n - name: PILOT_CERT_PROVIDER\n value: istiod\n - name: CA_ADDR\n value: istiod.istio-system.svc:15012\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.podIP\n - name: HOST_IP\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: status.hostIP\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n fieldPath: spec.serviceAccountName\n - name: CANONICAL_SERVICE\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-name']\n - name: CANONICAL_REVISION\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-revision']\n - name: ISTIO_META_WORKLOAD_NAME\n value: istio-ingressgateway\n - name: ISTIO_META_OWNER\n value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway\n - name: ISTIO_META_UNPRIVILEGED_POD\n value: \"true\"\n - name: ISTIO_META_ROUTER_MODE\n value: standard\n - name: ISTIO_META_CLUSTER_ID\n value: Kubernetes\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74\n name: istio-proxy\n ports:\n - containerPort: 15021\n protocol: TCP\n - containerPort: 8080\n protocol: TCP\n - containerPort: 8443\n protocol: TCP\n - containerPort: 31400\n protocol: TCP\n - containerPort: 15443\n protocol: TCP\n - containerPort: 15090\n name: http-envoy-prom\n protocol: TCP\n readinessProbe:\n failureThreshold: 30\n httpGet:\n path: /healthz/ready\n port: 15021\n scheme: HTTP\n initialDelaySeconds: 1\n periodSeconds: 2\n successThreshold: 1\n timeoutSeconds: 1\n resources:\n limits:\n cpu: 2000m\n memory: 1024Mi\n requests:\n cpu: 10m\n memory: 40Mi\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n privileged: false\n readOnlyRootFilesystem: true\n volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n - mountPath: /etc/istio/config\n name: config-volume\n - mountPath: /var/run/secrets/istio\n name: istiod-ca-cert\n - mountPath: /var/lib/istio/data\n name: istio-data\n - mountPath: /etc/istio/pod\n name: podinfo\n - mountPath: /etc/istio/ingressgateway-certs\n name: ingressgateway-certs\n readOnly: true\n - mountPath: /etc/istio/ingressgateway-ca-certs\n name: ingressgateway-ca-certs\n readOnly: true\n securityContext:\n fsGroup: 1337\n runAsGroup: 1337\n runAsNonRoot: true\n runAsUser: 1337\n serviceAccountName: istio-ingressgateway-service-account\n volumes:\n - configMap:\n name: istio-ca-root-cert\n name: istiod-ca-cert\n - downwardAPI:\n items:\n - fieldRef:\n fieldPath: metadata.labels\n path: labels\n - fieldRef:\n fieldPath: metadata.annotations\n path: annotations\n - path: cpu-limit\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: limits.cpu\n - path: cpu-request\n resourceFieldRef:\n containerName: istio-proxy\n divisor: 1m\n resource: requests.cpu\n name: podinfo\n - emptyDir: {}\n name: istio-envoy\n - emptyDir: {}\n name: istio-data\n - configMap:\n name: istio\n optional: true\n name: config-volume\n - name: ingressgateway-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-certs\n - name: ingressgateway-ca-certs\n secret:\n optional: true\n secretName: istio-ingressgateway-ca-certs"
},
{
"path": "patch/istiod.yaml",
"content": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: istiod\n install.operator.istio.io/owning-resource: unknown\n istio: pilot\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istiod\n namespace: istio-system\nspec:\n progressDeadlineSeconds: 600\n replicas: 1\n revisionHistoryLimit: 10\n selector:\n matchLabels:\n istio: pilot\n strategy:\n rollingUpdate:\n maxSurge: 100%\n maxUnavailable: 25%\n type: RollingUpdate\n template:\n metadata:\n annotations:\n prometheus.io/port: \"15014\"\n prometheus.io/scrape: \"true\"\n sidecar.istio.io/inject: \"false\"\n creationTimestamp: null\n labels:\n app: istiod\n install.operator.istio.io/owning-resource: unknown\n istio: pilot\n istio.io/rev: default\n operator.istio.io/component: Pilot\n sidecar.istio.io/inject: \"false\"\n spec:\n containers:\n - args:\n - discovery\n - --monitoringAddr=:15014\n - --log_output_level=default:info\n - --domain\n - cluster.local\n - --keepaliveMaxServerConnectionAge\n - 30m\n env:\n - name: REVISION\n value: default\n - name: JWT_POLICY\n value: first-party-jwt\n - name: PILOT_CERT_PROVIDER\n value: istiod\n - name: POD_NAME\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: metadata.namespace\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: spec.serviceAccountName\n - name: KUBECONFIG\n value: /var/run/secrets/remote/config\n - name: PILOT_TRACE_SAMPLING\n value: \"100\"\n - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND\n value: \"true\"\n - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND\n value: \"true\"\n - name: ISTIOD_ADDR\n value: istiod.istio-system.svc:15012\n - name: PILOT_ENABLE_ANALYSIS\n value: \"false\"\n - name: CLUSTER_ID\n value: Kubernetes\n - name: EXTERNAL_ISTIOD\n value: \"false\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-pilot:1.9.0-9d4e9\n imagePullPolicy: IfNotPresent\n name: discovery\n ports:\n - containerPort: 8080\n protocol: TCP\n - containerPort: 15010\n protocol: TCP\n - containerPort: 15017\n protocol: TCP\n readinessProbe:\n failureThreshold: 3\n httpGet:\n path: /ready\n port: 8080\n scheme: HTTP\n initialDelaySeconds: 1\n periodSeconds: 3\n successThreshold: 1\n timeoutSeconds: 5\n resources:\n requests:\n cpu: 10m\n memory: 100Mi\n securityContext:\n capabilities:\n drop:\n - ALL\n runAsGroup: 1337\n runAsNonRoot: true\n runAsUser: 1337\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - mountPath: /etc/istio/config\n name: config-volume\n - mountPath: /var/run/secrets/istio-dns\n name: local-certs\n - mountPath: /etc/cacerts\n name: cacerts\n readOnly: true\n - mountPath: /var/run/secrets/remote\n name: istio-kubeconfig\n readOnly: true\n - mountPath: /var/lib/istio/inject\n name: inject\n readOnly: true\n dnsPolicy: ClusterFirst\n restartPolicy: Always\n schedulerName: default-scheduler\n securityContext:\n fsGroup: 1337\n serviceAccount: istiod-service-account\n serviceAccountName: istiod-service-account\n terminationGracePeriodSeconds: 30\n volumes:\n - emptyDir:\n medium: Memory\n name: local-certs\n - name: cacerts\n secret:\n defaultMode: 420\n optional: true\n secretName: cacerts\n - name: istio-kubeconfig\n secret:\n defaultMode: 420\n optional: true\n secretName: istio-kubeconfig\n - configMap:\n defaultMode: 420\n name: istio-sidecar-injector\n name: inject\n - configMap:\n defaultMode: 420\n name: istio\n name: config-volume\n\n---\napiVersion: v1\ndata:\n config: |-\n # defaultTemplates defines the default template to use for pods that do not explicitly specify a template\n defaultTemplates: [sidecar]\n policy: enabled\n alwaysInjectSelector:\n []\n neverInjectSelector:\n []\n injectedAnnotations:\n template: \"{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}\"\n templates:\n sidecar: |\n {{- $containers := list }}\n {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name \"istio-proxy\") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}\n metadata:\n labels:\n security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default \"istio\" | quote }}\n service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}\n service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default \"latest\" | quote }}\n istio.io/rev: {{ .Revision | default \"default\" | quote }}\n annotations: {\n {{- if eq (len $containers) 1 }}\n kubectl.kubernetes.io/default-logs-container: \"{{ index $containers 0 }}\",\n {{ end }}\n {{- if .Values.istio_cni.enabled }}\n {{- if not .Values.istio_cni.chained }}\n k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',\n {{- end }}\n sidecar.istio.io/interceptionMode: \"{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}\",\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: \"{{.}}\",{{ end }}\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: \"{{.}}\",{{ end }}\n traffic.sidecar.istio.io/includeInboundPorts: \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}\",\n traffic.sidecar.istio.io/excludeInboundPorts: \"{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}\",\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts \"\") \"\") }}\n traffic.sidecar.istio.io/includeOutboundPorts: \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}\",\n {{- end }}\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts \"\") }}\n traffic.sidecar.istio.io/excludeOutboundPorts: \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}\",\n {{- end }}\n {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: \"{{.}}\",{{ end }}\n {{- end }}\n }\n spec:\n {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}\n initContainers:\n {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}\n {{ if .Values.istio_cni.enabled -}}\n - name: istio-validation\n {{ else -}}\n - name: istio-init\n {{ end -}}\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}\"\n {{- else }}\n image: \"{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}\"\n {{- end }}\n args:\n - istio-iptables\n - \"-p\"\n - \"15001\"\n - \"-z\"\n - \"15006\"\n - \"-u\"\n - \"1337\"\n - \"-m\"\n - \"{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}\"\n - \"-i\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}\"\n - \"-x\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}\"\n - \"-b\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}\"\n - \"-d\"\n {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}\n - \"15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}\"\n {{- else }}\n - \"15090,15021\"\n {{- end }}\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts \"\") \"\") -}}\n - \"-q\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}\"\n {{ end -}}\n {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts \"\") \"\") -}}\n - \"-o\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}\"\n {{ end -}}\n {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}\n - \"-k\"\n - \"{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}\"\n {{ end -}}\n {{ if .Values.istio_cni.enabled -}}\n - \"--run-validation\"\n - \"--skip-rule-apply\"\n {{ end -}}\n imagePullPolicy: \"{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}\"\n {{- if .ProxyConfig.ProxyMetadata }}\n env:\n {{- range $key, $value := .ProxyConfig.ProxyMetadata }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{- end }}\n {{- end }}\n resources:\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}\n requests:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}\"\n {{ end }}\n {{- end }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n limits:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}\"\n {{ end }}\n {{- end }}\n {{- else }}\n {{- if .Values.global.proxy.resources }}\n {{ toYaml .Values.global.proxy.resources | indent 6 }}\n {{- end }}\n {{- end }}\n securityContext:\n allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}\n privileged: {{ .Values.global.proxy.privileged }}\n capabilities:\n {{- if not .Values.istio_cni.enabled }}\n add:\n - NET_ADMIN\n - NET_RAW\n {{- end }}\n drop:\n - ALL\n {{- if not .Values.istio_cni.enabled }}\n readOnlyRootFilesystem: false\n runAsGroup: 0\n runAsNonRoot: false\n runAsUser: 0\n {{- else }}\n readOnlyRootFilesystem: true\n runAsGroup: 1337\n runAsUser: 1337\n runAsNonRoot: true\n {{- end }}\n restartPolicy: Always\n {{ end -}}\n {{- if eq .Values.global.proxy.enableCoreDump true }}\n - name: enable-core-dump\n args:\n - -c\n - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited\n command:\n - /bin/sh\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}\"\n {{- else }}\n image: \"{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}\"\n {{- end }}\n imagePullPolicy: \"{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}\"\n resources: {}\n securityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - SYS_ADMIN\n drop:\n - ALL\n privileged: true\n readOnlyRootFilesystem: false\n runAsGroup: 0\n runAsNonRoot: false\n runAsUser: 0\n {{ end }}\n containers:\n - name: istio-proxy\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}\"\n {{- else }}\n image: \"{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}\"\n {{- end }}\n ports:\n - containerPort: 15090\n protocol: TCP\n name: http-envoy-prom\n args:\n - proxy\n - sidecar\n - --domain\n - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}\n - --serviceCluster\n {{ if ne \"\" (index .ObjectMeta.Labels \"app\") -}}\n - \"{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)\"\n {{ else -}}\n - \"{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}\"\n {{ end -}}\n - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}\n - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}\n - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}\n {{- if .Values.global.sts.servicePort }}\n - --stsPort={{ .Values.global.sts.servicePort }}\n {{- end }}\n {{- if .Values.global.logAsJson }}\n - --log_as_json\n {{- end }}\n {{- if gt .ProxyConfig.Concurrency.GetValue 0 }}\n - --concurrency\n - \"{{ .ProxyConfig.Concurrency.GetValue }}\"\n {{- end -}}\n {{- if .Values.global.proxy.lifecycle }}\n lifecycle:\n {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}\n {{- else if $holdProxy }}\n lifecycle:\n postStart:\n exec:\n command:\n - pilot-agent\n - wait\n {{- end }}\n env:\n - name: JWT_POLICY\n value: {{ .Values.global.jwtPolicy }}\n - name: PILOT_CERT_PROVIDER\n value: {{ .Values.global.pilotCertProvider }}\n - name: CA_ADDR\n {{- if .Values.global.caAddress }}\n value: {{ .Values.global.caAddress }}\n {{- else }}\n value: istiod{{- if not (eq .Values.revision \"\") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012\n {{- end }}\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n - name: SERVICE_ACCOUNT\n valueFrom:\n fieldRef:\n fieldPath: spec.serviceAccountName\n - name: HOST_IP\n valueFrom:\n fieldRef:\n fieldPath: status.hostIP\n - name: CANONICAL_SERVICE\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-name']\n - name: CANONICAL_REVISION\n valueFrom:\n fieldRef:\n fieldPath: metadata.labels['service.istio.io/canonical-revision']\n - name: PROXY_CONFIG\n value: |\n {{ protoToJSON .ProxyConfig }}\n - name: ISTIO_META_POD_PORTS\n value: |-\n [\n {{- $first := true }}\n {{- range $index1, $c := .Spec.Containers }}\n {{- range $index2, $p := $c.Ports }}\n {{- if (structToJSON $p) }}\n {{if not $first}},{{end}}{{ structToJSON $p }}\n {{- $first = false }}\n {{- end }}\n {{- end}}\n {{- end}}\n ]\n - name: ISTIO_META_APP_CONTAINERS\n value: \"{{ $containers | join \",\" }}\"\n - name: ISTIO_META_CLUSTER_ID\n value: \"{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}\"\n - name: ISTIO_META_INTERCEPTION_MODE\n value: \"{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}\"\n {{- if .Values.global.network }}\n - name: ISTIO_META_NETWORK\n value: \"{{ .Values.global.network }}\"\n {{- end }}\n {{ if .ObjectMeta.Annotations }}\n - name: ISTIO_METAJSON_ANNOTATIONS\n value: |\n {{ toJSON .ObjectMeta.Annotations }}\n {{ end }}\n {{- if .DeploymentMeta.Name }}\n - name: ISTIO_META_WORKLOAD_NAME\n value: \"{{ .DeploymentMeta.Name }}\"\n {{ end }}\n {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}\n - name: ISTIO_META_OWNER\n value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}\n {{- end}}\n {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}\n - name: ISTIO_BOOTSTRAP_OVERRIDE\n value: \"/etc/istio/custom-bootstrap/custom_bootstrap.json\"\n {{- end }}\n {{- if .Values.global.meshID }}\n - name: ISTIO_META_MESH_ID\n value: \"{{ .Values.global.meshID }}\"\n {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}\n - name: ISTIO_META_MESH_ID\n value: \"{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}\"\n {{- end }}\n {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}\n - name: TRUST_DOMAIN\n value: \"{{ . }}\"\n {{- end }}\n {{- if and (eq .Values.global.proxy.tracer \"datadog\") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}\n {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{- end }}\n {{- end }}\n {{- range $key, $value := .ProxyConfig.ProxyMetadata }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{- end }}\n imagePullPolicy: \"{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}\"\n {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}\n readinessProbe:\n httpGet:\n path: /healthz/ready\n port: 15021\n initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}\n periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}\n timeoutSeconds: 3\n failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}\n {{ end -}}\n securityContext:\n allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}\n capabilities:\n {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}\n add:\n {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}\n - NET_ADMIN\n {{- end }}\n {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}\n - NET_BIND_SERVICE\n {{- end }}\n {{- end }}\n drop:\n - ALL\n privileged: {{ .Values.global.proxy.privileged }}\n readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}\n runAsGroup: 1337\n fsGroup: 1337\n {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}\n runAsNonRoot: false\n runAsUser: 0\n {{- else -}}\n runAsNonRoot: true\n runAsUser: 1337\n {{- end }}\n resources:\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}\n requests:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}\"\n {{ end }}\n {{- end }}\n {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}\n limits:\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}\n cpu: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}\"\n {{ end }}\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}\n memory: \"{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}\"\n {{ end }}\n {{- end }}\n {{- else }}\n {{- if .Values.global.proxy.resources }}\n {{ toYaml .Values.global.proxy.resources | indent 6 }}\n {{- end }}\n {{- end }}\n volumeMounts:\n {{- if eq .Values.global.pilotCertProvider \"istiod\" }}\n - mountPath: /var/run/secrets/istio\n name: istiod-ca-cert\n {{- end }}\n - mountPath: /var/lib/istio/data\n name: istio-data\n {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}\n - mountPath: /etc/istio/custom-bootstrap\n name: custom-bootstrap-volume\n {{- end }}\n # SDS channel between istioagent and Envoy\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n {{- if eq .Values.global.jwtPolicy \"third-party-jwt\" }}\n - mountPath: /var/run/secrets/tokens\n name: istio-token\n {{- end }}\n {{- if .Values.global.mountMtlsCerts }}\n # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.\n - mountPath: /etc/certs/\n name: istio-certs\n readOnly: true\n {{- end }}\n - name: istio-podinfo\n mountPath: /etc/istio/pod\n {{- if and (eq .Values.global.proxy.tracer \"lightstep\") .ProxyConfig.GetTracing.GetTlsSettings }}\n - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}\n name: lightstep-certs\n readOnly: true\n {{- end }}\n {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}\n {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}\n - name: \"{{ $index }}\"\n {{ toYaml $value | indent 6 }}\n {{ end }}\n {{- end }}\n volumes:\n {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}\n - name: custom-bootstrap-volume\n configMap:\n name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` \"\" }}\n {{- end }}\n # SDS channel between istioagent and Envoy\n - emptyDir:\n medium: Memory\n name: istio-envoy\n - name: istio-data\n emptyDir: {}\n - name: istio-podinfo\n downwardAPI:\n items:\n - path: \"labels\"\n fieldRef:\n fieldPath: metadata.labels\n - path: \"annotations\"\n fieldRef:\n fieldPath: metadata.annotations\n - path: \"cpu-limit\"\n resourceFieldRef:\n containerName: istio-proxy\n resource: limits.cpu\n divisor: 1m\n - path: \"cpu-request\"\n resourceFieldRef:\n containerName: istio-proxy\n resource: requests.cpu\n divisor: 1m\n {{- if eq .Values.global.jwtPolicy \"third-party-jwt\" }}\n - name: istio-token\n projected:\n sources:\n - serviceAccountToken:\n path: istio-token\n expirationSeconds: 43200\n audience: {{ .Values.global.sds.token.aud }}\n {{- end }}\n {{- if eq .Values.global.pilotCertProvider \"istiod\" }}\n - name: istiod-ca-cert\n configMap:\n name: istio-ca-root-cert\n {{- end }}\n {{- if .Values.global.mountMtlsCerts }}\n # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.\n - name: istio-certs\n secret:\n optional: true\n {{ if eq .Spec.ServiceAccountName \"\" }}\n secretName: istio.default\n {{ else -}}\n secretName: {{ printf \"istio.%s\" .Spec.ServiceAccountName }}\n {{ end -}}\n {{- end }}\n {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}\n {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}\n - name: \"{{ $index }}\"\n {{ toYaml $value | indent 4 }}\n {{ end }}\n {{ end }}\n {{- if and (eq .Values.global.proxy.tracer \"lightstep\") .ProxyConfig.GetTracing.GetTlsSettings }}\n - name: lightstep-certs\n secret:\n optional: true\n secretName: lightstep.cacert\n {{- end }}\n {{- if .Values.global.imagePullSecrets }}\n imagePullSecrets:\n {{- range .Values.global.imagePullSecrets }}\n - name: {{ . }}\n {{- end }}\n {{- end }}\n {{- if eq (env \"ENABLE_LEGACY_FSGROUP_INJECTION\" \"true\") \"true\" }}\n securityContext:\n fsGroup: 1337\n {{- end }}\n values: |-\n {\n \"global\": {\n \"arch\": {\n \"amd64\": 2,\n \"ppc64le\": 2,\n \"s390x\": 2\n },\n \"caAddress\": \"\",\n \"configValidation\": true,\n \"defaultNodeSelector\": {},\n \"defaultPodDisruptionBudget\": {\n \"enabled\": true\n },\n \"defaultResources\": {\n \"requests\": {\n \"cpu\": \"10m\"\n }\n },\n \"enabled\": true,\n \"externalIstiod\": false,\n \"hub\": \"docker.io/istio\",\n \"imagePullPolicy\": \"\",\n \"imagePullSecrets\": [],\n \"istioNamespace\": \"istio-system\",\n \"istiod\": {\n \"enableAnalysis\": false\n },\n \"jwtPolicy\": \"first-party-jwt\",\n \"logAsJson\": false,\n \"logging\": {\n \"level\": \"default:info\"\n },\n \"meshID\": \"\",\n \"meshNetworks\": {},\n \"mountMtlsCerts\": false,\n \"multiCluster\": {\n \"clusterName\": \"\",\n \"enabled\": false\n },\n \"namespace\": \"istio-system\",\n \"network\": \"\",\n \"omitSidecarInjectorConfigMap\": false,\n \"oneNamespace\": false,\n \"operatorManageWebhooks\": false,\n \"pilotCertProvider\": \"istiod\",\n \"priorityClassName\": \"\",\n \"proxy\": {\n \"autoInject\": \"enabled\",\n \"clusterDomain\": \"cluster.local\",\n \"componentLogLevel\": \"misc:error\",\n \"enableCoreDump\": false,\n \"excludeIPRanges\": \"\",\n \"excludeInboundPorts\": \"\",\n \"excludeOutboundPorts\": \"\",\n \"holdApplicationUntilProxyStarts\": false,\n \"image\": \"proxyv2\",\n \"includeIPRanges\": \"*\",\n \"logLevel\": \"warning\",\n \"privileged\": false,\n \"readinessFailureThreshold\": 30,\n \"readinessInitialDelaySeconds\": 1,\n \"readinessPeriodSeconds\": 2,\n \"resources\": {\n \"limits\": {\n \"cpu\": \"2000m\",\n \"memory\": \"1024Mi\"\n },\n \"requests\": {\n \"cpu\": \"10m\",\n \"memory\": \"40Mi\"\n }\n },\n \"statusPort\": 15020,\n \"tracer\": \"zipkin\"\n },\n \"proxy_init\": {\n \"image\": \"proxyv2\",\n \"resources\": {\n \"limits\": {\n \"cpu\": \"2000m\",\n \"memory\": \"1024Mi\"\n },\n \"requests\": {\n \"cpu\": \"10m\",\n \"memory\": \"10Mi\"\n }\n }\n },\n \"remotePilotAddress\": \"\",\n \"sds\": {\n \"token\": {\n \"aud\": \"istio-ca\"\n }\n },\n \"sts\": {\n \"servicePort\": 0\n },\n \"tag\": \"1.9.0\",\n \"tracer\": {\n \"datadog\": {\n \"address\": \"$(HOST_IP):8126\"\n },\n \"lightstep\": {\n \"accessToken\": \"\",\n \"address\": \"\"\n },\n \"stackdriver\": {\n \"debug\": false,\n \"maxNumberOfAnnotations\": 200,\n \"maxNumberOfAttributes\": 200,\n \"maxNumberOfMessageEvents\": 200\n },\n \"zipkin\": {\n \"address\": \"\"\n }\n },\n \"trustDomain\": \"\",\n \"useMCP\": false\n },\n \"istio_cni\": {\n \"enabled\": false\n },\n \"revision\": \"\",\n \"sidecarInjectorWebhook\": {\n \"alwaysInjectSelector\": [],\n \"defaultTemplates\": [],\n \"enableNamespacesByDefault\": false,\n \"injectedAnnotations\": {},\n \"neverInjectSelector\": [],\n \"objectSelector\": {\n \"autoInject\": true,\n \"enabled\": true\n },\n \"rewriteAppHTTPProbe\": true,\n \"templates\": {},\n \"useLegacySelectors\": true\n }\n }\nkind: ConfigMap\nmetadata:\n labels:\n install.operator.istio.io/owning-resource: unknown\n istio.io/rev: default\n operator.istio.io/component: Pilot\n release: istio\n name: istio-sidecar-injector\n namespace: istio-system"
},
{
"path": "patch/jupyter-web-app.yaml",
"content": "---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n name: jupyter-web-app-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: jupyter-web-app\n kustomize.component: jupyter-web-app\n spec:\n containers:\n - env:\n - name: APP_PREFIX\n value: /jupyter\n - name: UI\n value: default\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n - name: APP_DISABLE_AUTH\n value: \"True\"\n # This gets rid of erro: Could not find CSRF cookie XSRF-TOKEN in the request\n - name: APP_SECURE_COOKIES\n value: \"False\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-jupyter-web-app:v1.3.0-rc.0-70edb\n name: jupyter-web-app\n ports:\n - containerPort: 5000\n volumeMounts:\n - mountPath: /etc/config\n name: config-volume\n serviceAccountName: jupyter-web-app-service-account\n volumes:\n - configMap:\n name: jupyter-web-app-config-tkhtgh5mcm\n name: config-volume"
},
{
"path": "patch/kfserving.yaml",
"content": "apiVersion: caching.internal.knative.dev/v1alpha1\nkind: Image\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: queue-proxy\n namespace: knative-serving\nspec:\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/knative-serving-queue:v0.14.3\n---\napiVersion: v1\ndata:\n _example: |\n ################################\n # #\n # EXAMPLE CONFIGURATION #\n # #\n ################################\n\n # This block is not actually functional configuration,\n # but serves to illustrate the available configuration\n # options and document them in a way that is accessible\n # to users that `kubectl edit` this config map.\n #\n # These sample configuration options may be copied out of\n # this example block and unindented to be in the data block\n # to actually change the configuration.\n\n # List of repositories for which tag to digest resolving should be skipped\n registriesSkippingTagResolving: \"ko.local,dev.local\"\n queueSidecarImage: registry.cn-shenzhen.aliyuncs.com/tensorbytes/knative-serving-queue:v0.14.3\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: knative-serving-install\n app.kubernetes.io/name: knative-serving-install\n kustomize.component: knative\n serving.knative.dev/release: v0.14.3\n name: config-deployment\n namespace: knative-serving\n---\n\napiVersion: v1\ndata:\n agent: |-\n {\n \"image\" : \"kfserving/agent:v0.5.1\",\n \"memoryRequest\": \"100Mi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"100m\",\n \"cpuLimit\": \"1\"\n }\n batcher: |-\n {\n \"image\" : \"kfserving/agent:v0.5.1\",\n \"memoryRequest\": \"1Gi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"1\",\n \"cpuLimit\": \"1\"\n }\n credentials: |-\n {\n \"gcs\": {\n \"gcsCredentialFileName\": \"gcloud-application-credentials.json\"\n },\n \"s3\": {\n \"s3AccessKeyIDName\": \"AWS_ACCESS_KEY_ID\",\n \"s3SecretAccessKeyName\": \"AWS_SECRET_ACCESS_KEY\"\n }\n }\n explainers: |-\n {\n \"alibi\": {\n \"image\" : \"kfserving/alibi-explainer\",\n \"defaultImageVersion\": \"v0.5.1\"\n },\n \"aix\": {\n \"image\" : \"kfserving/aix-explainer\",\n \"defaultImageVersion\": \"v0.5.1\"\n },\n \"art\": {\n \"image\" : \"kfserving/art-explainer\",\n \"defaultImageVersion\": \"v0.5.1\"\n }\n }\n ingress: |-\n {\n \"ingressGateway\" : \"kubeflow-gateway.kubeflow\",\n \"ingressService\" : \"istio-ingressgateway.istio-system.svc.cluster.local\",\n \"localGateway\" : \"cluster-local-gateway.knative-serving\",\n \"localGatewayService\" : \"cluster-local-gateway.istio-system.svc.cluster.local\"\n }\n logger: |-\n {\n \"image\" : \"kfserving/agent:v0.5.1\",\n \"memoryRequest\": \"100Mi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"100m\",\n \"cpuLimit\": \"1\",\n \"defaultUrl\": \"http://default-broker\"\n }\n predictors: |-\n {\n \"tensorflow\": {\n \"image\": \"tensorflow/serving\",\n \"defaultImageVersion\": \"1.14.0\",\n \"defaultGpuImageVersion\": \"1.14.0-gpu\",\n \"defaultTimeout\": \"60\",\n \"supportedFrameworks\": [\n \"tensorflow\"\n ],\n \"multiModelServer\": false\n },\n \"onnx\": {\n \"image\": \"mcr.microsoft.com/onnxruntime/server\",\n \"defaultImageVersion\": \"v1.0.0\",\n \"supportedFrameworks\": [\n \"onnx\"\n ],\n \"multiModelServer\": false\n },\n \"sklearn\": {\n \"v1\": {\n \"image\": \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/sklearnserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"sklearn\"\n ],\n \"multiModelServer\": false\n },\n \"v2\": {\n \"image\": \"docker.io/seldonio/mlserver\",\n \"defaultImageVersion\": \"0.2.1\",\n \"supportedFrameworks\": [\n \"sklearn\"\n ],\n \"multiModelServer\": false\n }\n },\n \"xgboost\": {\n \"v1\": {\n \"image\": \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/xgbserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"xgboost\"\n ],\n \"multiModelServer\": false\n },\n \"v2\": {\n \"image\": \"docker.io/seldonio/mlserver\",\n \"defaultImageVersion\": \"0.2.1\",\n \"supportedFrameworks\": [\n \"xgboost\"\n ],\n \"multiModelServer\": false\n }\n },\n \"pytorch\": {\n \"v1\" : {\n \"image\": \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/pytorchserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"defaultGpuImageVersion\": \"v0.5.1-gpu\",\n \"supportedFrameworks\": [\n \"pytorch\"\n ],\n \"multiModelServer\": false\n },\n \"v2\" : {\n \"image\": \"kfserving/torchserve-kfs\",\n \"defaultImageVersion\": \"0.3.0\",\n \"defaultGpuImageVersion\": \"0.3.0-gpu\",\n \"supportedFrameworks\": [\n \"pytorch\"\n ],\n \"multiModelServer\": false\n }\n },\n \"triton\": {\n \"image\": \"nvcr.io/nvidia/tritonserver\",\n \"defaultImageVersion\": \"20.08-py3\",\n \"supportedFrameworks\": [\n \"tensorrt\",\n \"tensorflow\",\n \"onnx\",\n \"pytorch\",\n \"caffe2\"\n ],\n \"multiModelServer\": false\n },\n \"pmml\": {\n \"image\": \"kfserving/pmmlserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"pmml\"\n ],\n \"multiModelServer\": false\n },\n \"lightgbm\": {\n \"image\": \"kfserving/lgbserver\",\n \"defaultImageVersion\": \"v0.5.1\",\n \"supportedFrameworks\": [\n \"lightgbm\"\n ],\n \"multiModelServer\": false\n }\n }\n storageInitializer: |-\n {\n \"image\" : \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/storage-initializer:v0.5.1\",\n \"memoryRequest\": \"100Mi\",\n \"memoryLimit\": \"1Gi\",\n \"cpuRequest\": \"100m\",\n \"cpuLimit\": \"1\"\n }\n transformers: |-\n {\n }\nkind: ConfigMap\nmetadata:\n labels:\n app: kfserving\n app.kubernetes.io/component: kfserving\n app.kubernetes.io/name: kfserving\n kustomize.component: kfserving\n name: inferenceservice-config\n namespace: kubeflow"
},
{
"path": "patch/pipeline-env-platform-agnostic-multi-user.yaml",
"content": "apiVersion: v1\ndata:\n sync.py: |\n # Copyright 2020-2021 Google LLC\n #\n # Licensed under the Apache License, Version 2.0 (the \"License\");\n # you may not use this file except in compliance with the License.\n # You may obtain a copy of the License at\n #\n # http://www.apache.org/licenses/LICENSE-2.0\n #\n # Unless required by applicable law or agreed to in writing, software\n # distributed under the License is distributed on an \"AS IS\" BASIS,\n # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n # See the License for the specific language governing permissions and\n # limitations under the License.\n\n from http.server import BaseHTTPRequestHandler, HTTPServer\n import json\n import os\n import base64\n\n kfp_version = os.environ[\"KFP_VERSION\"]\n disable_istio_sidecar = os.environ.get(\"DISABLE_ISTIO_SIDECAR\") == \"true\"\n mlpipeline_minio_access_key = base64.b64encode(\n bytes(os.environ.get(\"MINIO_ACCESS_KEY\"), 'utf-8')).decode('utf-8')\n mlpipeline_minio_secret_key = base64.b64encode(\n bytes(os.environ.get(\"MINIO_SECRET_KEY\"), 'utf-8')).decode('utf-8')\n\n\n class Controller(BaseHTTPRequestHandler):\n def sync(self, parent, children):\n pipeline_enabled = parent.get(\"metadata\", {}).get(\n \"labels\", {}).get(\"pipelines.kubeflow.org/enabled\")\n\n if pipeline_enabled != \"true\":\n return {\"status\": {}, \"children\": []}\n\n # Compute status based on observed state.\n desired_status = {\n \"kubeflow-pipelines-ready\": \\\n len(children[\"Secret.v1\"]) == 1 and \\\n len(children[\"ConfigMap.v1\"]) == 1 and \\\n len(children[\"Deployment.apps/v1\"]) == 2 and \\\n len(children[\"Service.v1\"]) == 2 and \\\n len(children[\"DestinationRule.networking.istio.io/v1alpha3\"]) == 1 and \\\n len(children[\"AuthorizationPolicy.security.istio.io/v1beta1\"]) == 1 and \\\n \"True\" or \"False\"\n }\n\n # Generate the desired child object(s).\n # parent is a namespace\n namespace = parent.get(\"metadata\", {}).get(\"name\")\n desired_resources = [\n {\n \"apiVersion\": \"v1\",\n \"kind\": \"ConfigMap\",\n \"metadata\": {\n \"name\": \"metadata-grpc-configmap\",\n \"namespace\": namespace,\n },\n \"data\": {\n \"METADATA_GRPC_SERVICE_HOST\":\n \"metadata-grpc-service.kubeflow\",\n \"METADATA_GRPC_SERVICE_PORT\": \"8080\",\n },\n },\n # Visualization server related manifests below\n {\n \"apiVersion\": \"apps/v1\",\n \"kind\": \"Deployment\",\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n },\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"selector\": {\n \"matchLabels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n },\n },\n \"template\": {\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n },\n \"annotations\": disable_istio_sidecar and {\n \"sidecar.istio.io/inject\": \"false\"\n } or {},\n },\n \"spec\": {\n \"containers\": [{\n \"image\":\n \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-visualization-server:1.5.0-rc.2-03636\",\n \"imagePullPolicy\":\n \"IfNotPresent\",\n \"name\":\n \"ml-pipeline-visualizationserver\",\n \"ports\": [{\n \"containerPort\": 8888\n }],\n \"resources\": {\n \"requests\": {\n \"cpu\": \"50m\",\n \"memory\": \"200Mi\"\n },\n \"limits\": {\n \"cpu\": \"500m\",\n \"memory\": \"1Gi\"\n },\n }\n }],\n \"serviceAccountName\":\n \"default-editor\",\n },\n },\n },\n },\n {\n \"apiVersion\": \"networking.istio.io/v1alpha3\",\n \"kind\": \"DestinationRule\",\n \"metadata\": {\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"host\": \"ml-pipeline-visualizationserver\",\n \"trafficPolicy\": {\n \"tls\": {\n \"mode\": \"ISTIO_MUTUAL\"\n }\n }\n }\n },\n {\n \"apiVersion\": \"security.istio.io/v1beta1\",\n \"kind\": \"AuthorizationPolicy\",\n \"metadata\": {\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"selector\": {\n \"matchLabels\": {\n \"app\": \"ml-pipeline-visualizationserver\"\n }\n },\n \"rules\": [{\n \"from\": [{\n \"source\": {\n \"principals\": [\"cluster.local/ns/kubeflow/sa/ml-pipeline\"]\n }\n }]\n }]\n }\n },\n {\n \"apiVersion\": \"v1\",\n \"kind\": \"Service\",\n \"metadata\": {\n \"name\": \"ml-pipeline-visualizationserver\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"ports\": [{\n \"name\": \"http\",\n \"port\": 8888,\n \"protocol\": \"TCP\",\n \"targetPort\": 8888,\n }],\n \"selector\": {\n \"app\": \"ml-pipeline-visualizationserver\",\n },\n },\n },\n # Artifact fetcher related resources below.\n {\n \"apiVersion\": \"apps/v1\",\n \"kind\": \"Deployment\",\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n },\n \"name\": \"ml-pipeline-ui-artifact\",\n \"namespace\": namespace,\n },\n \"spec\": {\n \"selector\": {\n \"matchLabels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n }\n },\n \"template\": {\n \"metadata\": {\n \"labels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n },\n \"annotations\": disable_istio_sidecar and {\n \"sidecar.istio.io/inject\": \"false\"\n } or {},\n },\n \"spec\": {\n \"containers\": [{\n \"name\":\n \"ml-pipeline-ui-artifact\",\n \"image\":\n \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-frontend:1.5.0-rc.2-34ae9\",\n \"imagePullPolicy\":\n \"IfNotPresent\",\n \"ports\": [{\n \"containerPort\": 3000\n }],\n \"resources\": {\n \"requests\": {\n \"cpu\": \"10m\",\n \"memory\": \"70Mi\"\n },\n \"limits\": {\n \"cpu\": \"100m\",\n \"memory\": \"500Mi\"\n },\n }\n }],\n \"serviceAccountName\":\n \"default-editor\"\n }\n }\n }\n },\n {\n \"apiVersion\": \"v1\",\n \"kind\": \"Service\",\n \"metadata\": {\n \"name\": \"ml-pipeline-ui-artifact\",\n \"namespace\": namespace,\n \"labels\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n }\n },\n \"spec\": {\n \"ports\": [{\n \"name\":\n \"http\", # name is required to let istio understand request protocol\n \"port\": 80,\n \"protocol\": \"TCP\",\n \"targetPort\": 3000\n }],\n \"selector\": {\n \"app\": \"ml-pipeline-ui-artifact\"\n }\n }\n },\n ]\n print('Received request:', parent)\n print('Desired resources except secrets:', desired_resources)\n # Moved after the print argument because this is sensitive data.\n desired_resources.append({\n \"apiVersion\": \"v1\",\n \"kind\": \"Secret\",\n \"metadata\": {\n \"name\": \"mlpipeline-minio-artifact\",\n \"namespace\": namespace,\n },\n \"data\": {\n \"accesskey\": mlpipeline_minio_access_key,\n \"secretkey\": mlpipeline_minio_secret_key,\n },\n })\n\n return {\"status\": desired_status, \"children\": desired_resources}\n\n def do_POST(self):\n # Serve the sync() function as a JSON webhook.\n observed = json.loads(\n self.rfile.read(int(self.headers.get(\"content-length\"))))\n desired = self.sync(observed[\"parent\"], observed[\"children\"])\n\n self.send_response(200)\n self.send_header(\"Content-type\", \"application/json\")\n self.end_headers()\n self.wfile.write(bytes(json.dumps(desired), 'utf-8'))\n\n\n HTTPServer((\"\", 8080), Controller).serve_forever()\nkind: ConfigMap\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4\n namespace: kubeflow\n---\n\napiVersion: v1\ndata:\n appName: pipeline\n appVersion: 1.5.0-rc.2\n autoUpdatePipelineDefaultVersion: \"true\"\n bucketName: mlpipeline\n cacheDb: cachedb\n cacheImage: busybox\n cronScheduleTimezone: UTC\n dbHost: mysql\n dbPort: \"3306\"\n mlmdDb: metadb\n pipelineDb: mlpipeline\nkind: ConfigMap\nmetadata:\n labels:\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: pipeline-install-config\n namespace: kubeflow\n\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflow-controller\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n labels:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --configmap\n - workflow-controller-configmap\n - --executor-image\n - registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-argoexec:v2.12.9-license-compliance\n command:\n - workflow-controller\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-workflow-controller:v2.12.9-license-compliance-2d9c1\n livenessProbe:\n httpGet:\n path: /metrics\n port: metrics\n initialDelaySeconds: 30\n periodSeconds: 30\n name: workflow-controller\n ports:\n - containerPort: 9090\n name: metrics\n resources:\n requests:\n cpu: 100m\n memory: 500Mi\n nodeSelector:\n kubernetes.io/os: linux\n securityContext:\n runAsNonRoot: true\n serviceAccountName: argo\n\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: kubeflow-pipelines-profile-controller\n namespace: kubeflow\nspec:\n replicas: 1 # change replica number\n selector:\n matchLabels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: kubeflow-pipelines-profile-controller\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - command:\n - python\n - /hooks/sync.py\n env:\n - name: KFP_VERSION\n valueFrom:\n configMapKeyRef:\n key: appVersion\n name: pipeline-install-config\n - name: MINIO_ACCESS_KEY\n valueFrom:\n secretKeyRef:\n key: accesskey\n name: mlpipeline-minio-artifact\n - name: MINIO_SECRET_KEY\n valueFrom:\n secretKeyRef:\n key: secretkey\n name: mlpipeline-minio-artifact\n envFrom:\n - configMapRef:\n name: kubeflow-pipelines-profile-controller-env-5252m69c4c\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/python:3.7-3a781\n name: profile-controller\n ports:\n - containerPort: 8080\n volumeMounts:\n - mountPath: /hooks\n name: hooks\n volumes:\n - configMap:\n name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4\n name: hooks"
},
{
"path": "patch/tensorboard.yaml",
"content": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n name: tensorboards-web-app-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: tensorboards-web-app\n kustomize.component: tensorboards-web-app\n spec:\n containers:\n - env:\n - name: APP_PREFIX\n value: /tensorboards\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n - name: APP_SECURE_COOKIES\n value: \"False\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-tensorboards-web-app:v1.3.0-rc.0-258dd\n name: tensorboards-web-app\n ports:\n - containerPort: 5000\n serviceAccountName: tensorboards-web-app-service-account"
},
{
"path": "patch/volumes-web-app.yaml",
"content": "---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n name: volumes-web-app-deployment\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n template:\n metadata:\n annotations:\n sidecar.istio.io/inject: \"false\"\n labels:\n app: volumes-web-app\n kustomize.component: volumes-web-app\n spec:\n containers:\n - env:\n - name: APP_PREFIX\n value: /volumes\n - name: USERID_HEADER\n value: kubeflow-userid\n - name: USERID_PREFIX\n value: \"\"\n - name: APP_SECURE_COOKIES\n value: \"False\"\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-volumes-web-app:v1.3.0-rc.0-fe235\n name: volumes-web-app\n ports:\n - containerPort: 5000\n serviceAccountName: volumes-web-app-service-account\n"
},
{
"path": "patch/workflow-controller.yaml",
"content": "apiVersion: v1\ndata:\n artifactRepository: |\n archiveLogs: true\n s3:\n endpoint: \"minio-service.kubeflow:9000\"\n bucket: \"mlpipeline\"\n keyFormat: \"artifacts/{{workflow.name}}/{{pod.name}}\"\n # insecure will disable TLS. Primarily used for minio installs not configured with TLS\n insecure: true\n accessKeySecret:\n name: mlpipeline-minio-artifact\n key: accesskey\n secretKeySecret:\n name: mlpipeline-minio-artifact\n key: secretkey\n containerRuntimeExecutor: k8sapi\nkind: ConfigMap\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflow-controller-configmap\n namespace: kubeflow\n\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n application-crd-id: kubeflow-pipelines\n name: workflow-controller\n namespace: kubeflow\nspec:\n selector:\n matchLabels:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n labels:\n app: workflow-controller\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --configmap\n - workflow-controller-configmap\n - --executor-image\n - registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-argoexec:v2.12.9-license-compliance\n command:\n - workflow-controller\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-workflow-controller:v2.12.9-license-compliance-2d9c1\n livenessProbe:\n httpGet:\n path: /metrics\n port: metrics\n initialDelaySeconds: 30\n periodSeconds: 30\n name: workflow-controller\n ports:\n - containerPort: 9090\n name: metrics\n resources:\n requests:\n cpu: 100m\n memory: 500Mi\n nodeSelector:\n kubernetes.io/os: linux\n securityContext:\n runAsNonRoot: true\n serviceAccountName: argo\n\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n name: cache-server\n namespace: kubeflow\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n template:\n metadata:\n labels:\n app: cache-server\n app.kubernetes.io/component: ml-pipeline\n app.kubernetes.io/name: kubeflow-pipelines\n application-crd-id: kubeflow-pipelines\n spec:\n containers:\n - args:\n - --db_driver=$(DBCONFIG_DRIVER)\n - --db_host=$(DBCONFIG_HOST_NAME)\n - --db_port=$(DBCONFIG_PORT)\n - --db_name=$(DBCONFIG_DB_NAME)\n - --db_user=$(DBCONFIG_USER)\n - --db_password=$(DBCONFIG_PASSWORD)\n - --namespace_to_watch=$(NAMESPACE_TO_WATCH)\n env:\n - name: NAMESPACE_TO_WATCH\n value: \"\"\n - name: CACHE_IMAGE\n valueFrom:\n configMapKeyRef:\n key: cacheImage\n name: pipeline-install-config\n - name: DBCONFIG_DRIVER\n value: mysql\n - name: DBCONFIG_DB_NAME\n valueFrom:\n configMapKeyRef:\n key: cacheDb\n name: pipeline-install-config\n - name: DBCONFIG_HOST_NAME\n valueFrom:\n configMapKeyRef:\n key: dbHost\n name: pipeline-install-config\n - name: DBCONFIG_PORT\n valueFrom:\n configMapKeyRef:\n key: dbPort\n name: pipeline-install-config\n - name: DBCONFIG_USER\n valueFrom:\n secretKeyRef:\n key: username\n name: mysql-secret\n - name: DBCONFIG_PASSWORD\n valueFrom:\n secretKeyRef:\n key: password\n name: mysql-secret\n image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-cache-server:1.5.0-rc.2-a44df\n imagePullPolicy: Always\n name: server\n ports:\n - containerPort: 8443\n name: webhook-api\n volumeMounts:\n - mountPath: /etc/webhook/certs\n name: webhook-tls-certs\n readOnly: true\n serviceAccountName: kubeflow-pipelines-cache\n volumes:\n - name: webhook-tls-certs\n secret:\n secretName: webhook-server-tls"
},
{
"path": "pre-install.py",
"content": "#!/bin/python\n#coding:utf-8\n\nimport os\nimport shlex\nimport yaml\nfrom yaml import CLoader\nfrom replace import replaceImage\nimport subprocess\n\n\nmainfile = \"kustomization.yaml\"\n\nwith open(mainfile, \"r\") as fr:\n kustomizefile = yaml.load(fr,Loader=CLoader)\n\nn = 0\nfor path in kustomizefile['resources']:\n n = n + 1\n abspath = os.path.abspath(path)\n abspath = abspath.replace(\"\\\\\",\"/\")\n filename = \"-\".join([path.split(\"/\")[2]]+path.split(\"/\")[-2:])\n cmd = \"kustomize build --load_restrictor=none {path}\".format(path=path)\n print(cmd)\n p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE)\n out = p.stdout.read()\n if out == \"\":\n raise ValueError(cmd)\n filename = str(n).zfill(3) + \"-\" + filename +\".yaml\"\n out = replaceImage(out.decode(\"utf-8\"))\n with open(\"file/\"+ filename, \"w\", encoding=\"utf-8\") as fw:\n fw.write(out)"
},
{
"path": "replace.py",
"content": "#!/bin/python\n#coding:utf-8\nimport yaml\nimport os\nimport subprocess\nimport sys\nimport json\n\n\nIMAGE_PREFIX = \"registry.cn-shenzhen.aliyuncs.com/tensorbytes/\"\n\n\ndef getNewImage(image, prefix):\n # get hash of image\n cmd = \"docker inspect \"+image\n print(cmd)\n p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE)\n out = p.stdout.read()\n out = json.loads(out)[0]\n imagehash = out[\"Id\"].split(\":\")[-1][:5]\n pending = \"-\" + imagehash\n # change image to new tag\n app = image.split(\"/\")[-1]\n if len(image.split(\"/\")) > 1:\n org = image.split(\"/\")[-2]\n app = org + \"-\" + app\n if \":\" in app:\n if \"@sha256:\" in app:\n appname = app.split(\"@\")[0]\n appversion = \"special\"\n else:\n appversion = app.split(\":\")[-1]\n appname = app.split(\":\")[0]\n else:\n appname = app\n appversion = \"latest\"\n newImage = prefix + appname + \":\" + appversion + pending\n return newImage\n\n\ndef findDeploymentImage(content):\n crs = content.split(\"---\\n\")\n images = dict()\n for cr in crs:\n if len(cr) < 0:\n continue\n obj = yaml.load(cr, yaml.CLoader)\n if obj is None or \"kind\" not in obj:\n continue\n if obj[\"kind\"] == \"Deployment\" or obj[\"kind\"] == \"StatefulSet\":\n containers = obj[\"spec\"][\"template\"][\"spec\"][\"containers\"]\n for c in containers:\n obj_image = c[\"image\"]\n cmdPull = \"docker pull {image}\".format(image=obj_image)\n os.system(cmdPull)\n newimage = getNewImage(obj_image, IMAGE_PREFIX)\n images[obj_image] = newimage\n return images\n\n\ndef replaceImage(content):\n imageMap = findDeploymentImage(content)\n for image in imageMap:\n content = content.replace(image,imageMap[image])\n logAndPushImage(imageMap)\n return content\n\ndef logAndPushImage(imageMap):\n with open(\"images.log\",\"a\") as fw:\n for image in imageMap:\n # pull image\n cmdPull = \"docker pull {image}\".format(image=image)\n # tag image\n cmdTag = \"docker tag {oldimage} {newimage}\".format(oldimage=image, newimage=imageMap[image])\n # push new images\n cmdPush = \"docker push {image}\".format(image=imageMap[image])\n print(cmdPush)\n os.system(cmdTag)\n os.system(cmdPush)\n # log\n line = image + \"\\t\" + imageMap[image]\n fw.write(line+\"\\n\")\n\n\nif __name__ == \"__main__\":\n with open(\"./file/023-jupyter-overlays-kubeflow.yaml\") as fr:\n images = replaceImage(fr.read())\n # print(images)"
},
{
"path": "replaceVolumes.py",
"content": "#!/bin/python\n#coding:utf-8\nimport os\nimport yaml\n\ndef findVolumeDeployment(content):\n crs = content.split(\"---\\n\")\n images = dict()\n for cr in crs:\n if len(cr) < 0:\n continue\n obj = yaml.load(cr, yaml.CLoader)\n if obj is None or \"kind\" not in obj:\n continue\n if obj[\"kind\"] == \"Deployment\":\n specs = obj[\"spec\"][\"template\"][\"spec\"]\n if \"volumes\" in specs:\n for v in specs[\"volumes\"]:\n if \"persistentVolumeClaim\" in v:\n del v[\"persistentVolumeClaim\"]\n v [\"emptyDir\"] = dict()\n yield v[\"name\"],cr\n\n\ndef savePatchPath(content,filename):\n path = \"./patch/\" + filename + \".yaml\"\n with open(path,\"w\") as fw:\n fw.write(content)\n\n\nif __name__ == \"__main__\":\n for root,path,files in os.walk(\"./file\"):\n for f in files:\n findfile = root + \"/\" + f\n with open(findfile,\"r\",encoding=\"utf-8\") as fr:\n for name,cr in findVolumeDeployment(fr.read()):\n print(name)\n print(cr)\n savePatchPath(cr, name)"
}
]