Repository: shikanon/kubeflow-manifests
Branch: master
Commit: b989d771b40d
Files: 59
Total size: 2.0 MB
Directory structure:
gitextract_hy5cwtie/
├── .gitignore
├── LICENSE
├── README-dev.md
├── README.md
├── database-patch/
│ └── mysql-persistent-storage.yaml
├── docs/
│ ├── introduction.md
│ └── problems.md
├── example/
│ └── kitab-random-example.yaml
├── install.py
├── kind/
│ └── kind-config.yaml
├── local-path/
│ └── local-path-storage.yaml
├── manifest1.3/
│ ├── 001-cert-manager-cert-manager-kube-system-resources-base.yaml
│ ├── 002-cert-manager-cert-manager-crds-base.yaml
│ ├── 003-cert-manager-overlays-self-signed.yaml
│ ├── 004-istio-1-9-0-istio-crds-base.yaml
│ ├── 005-istio-1-9-0-istio-namespace-base.yaml
│ ├── 006-istio-1-9-0-istio-install-base.yaml
│ ├── 007-oidc-authservice-oidc-authservice-base.yaml
│ ├── 008-dex-overlays-istio.yaml
│ ├── 009-knative-knative-serving-crds-base.yaml
│ ├── 010-knative-knative-serving-install-base.yaml
│ ├── 011-knative-knative-eventing-crds-base.yaml
│ ├── 012-knative-knative-eventing-install-base.yaml
│ ├── 013-istio-1-9-0-cluster-local-gateway-base.yaml
│ ├── 014-kubeflow-namespace-kubeflow-namespace-base.yaml
│ ├── 015-kubeflow-roles-kubeflow-roles-base.yaml
│ ├── 016-istio-1-9-0-kubeflow-istio-resources-base.yaml
│ ├── 017-pipeline-env-platform-agnostic-multi-user.yaml
│ ├── 018-kfserving-overlays-kubeflow.yaml
│ ├── 019-katib-installs-katib-with-kubeflow-cert-manager.yaml
│ ├── 020-centraldashboard-overlays-istio.yaml
│ ├── 021-admission-webhook-overlays-cert-manager.yaml
│ ├── 022-jupyter-overlays-istio.yaml
│ ├── 023-jupyter-overlays-kubeflow.yaml
│ ├── 024-profiles-overlays-kubeflow.yaml
│ ├── 025-volumes-web-app-overlays-istio.yaml
│ ├── 026-tensorboard-overlays-kubeflow.yaml
│ ├── 027-tensorboard-overlays-istio.yaml
│ ├── 028-tf-training-overlays-kubeflow.yaml
│ ├── 029-pytorch-job-overlays-kubeflow.yaml
│ ├── 030-mpi-job-overlays-kubeflow.yaml
│ ├── 031-mxnet-job-overlays-kubeflow.yaml
│ ├── 032-xgboost-job-overlays-kubeflow.yaml
│ └── 033-user-namespace-user-namespace-base.yaml
├── patch/
│ ├── auth.yaml
│ ├── cluster-local-gateway.yaml
│ ├── data.yaml
│ ├── envoy-filter.yaml
│ ├── istio-ingressgateway.yaml
│ ├── istiod.yaml
│ ├── jupyter-web-app.yaml
│ ├── kfserving.yaml
│ ├── pipeline-env-platform-agnostic-multi-user.yaml
│ ├── tensorboard.yaml
│ ├── volumes-web-app.yaml
│ └── workflow-controller.yaml
├── pre-install.py
├── replace.py
└── replaceVolumes.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
pip-wheel-metadata/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
.python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# PEP 582; used by e.g. github.com/David-OConnor/pyflow
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
================================================
FILE: LICENSE
================================================
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
Copyright (C)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
Copyright (C)
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
.
================================================
FILE: README-dev.md
================================================
# 开发文档
这里主要介绍如何构建这个项目的。主要分为几步:替换镜像,重新打标签上传到私有镜像仓库,生成安装文档。
运行命令:
```bash
python pre-install.py
python install.py
```
## 实现原理
### 预处理
通过 `kustomize build --load_restrictor=none` 生成镜像目标yaml 文件
### 替换镜像
替换镜像主要是 `replace.py`实现,主要从 deployment, statefulset 找到镜像字段,重新打标签替换成新的镜像仓库地址,push上传到私有镜像仓库
### 安装文件
运行`python install.py` 安装文件。
## PATCH文件
patch文件主要针对官方yaml安装使用过程中的一些问题打的补丁
### 鉴权问题
`auth.yaml` 主要用于创建用户自己的账号,用户名`admin@example.com`,密码`password`
### istio报istio-token找不到
主要是由于istio的JWT策略用到第三方鉴权,有些k8s版本不支持,可以将isito中的 `third-party-jwt` 改成 `first-party-jwt`,详细见`cluster-local-gateway.yaml`,`istio-ingressgateway.yaml`,`istiod.yaml`。
### 创建jupyter的时候返回 Could not find CSRF cookie XSRF-TOKEN 错误
主要是由于jupyter-web-app的安全验证策略导致的,详细见https://github.com/kubeflow/kubeflow/issues/5803
解决方案环境变量加上`APP_SECURE_COOKIES=false`,修改见`jupyter-web-app.yaml`
### 解决docker.sock not found 问题
因为 kind 使用的 containerd 作为容器运行时,而 argo workflow 默认 Workflow Executors使用的是 docker ,他会尝试挂载宿主机的 `docker.sock`,如果不存在就会报错,这里尝试将`workflow-controller-configmap`的`containerRuntimeExecutor` 改为 `k8sapi` 更换 Workflow Executors 来解决。详细见:https://argoproj.github.io/argo-workflows/workflow-executors/
================================================
FILE: README.md
================================================
# Kubeflow安装及使用教程(中国版)
由于国内网络问题,Kubeflow 通常安装都是各种磕磕碰碰,以一颗为广大人民谋福利的心,这里提供中国的本地镜像版(阿里云镜像/dockerhub)的**安装**。
同时这里汇总了一些kubeflow的中文教程资料供大家参考。
## Kubeflow 使用教程
- [kubeflow安装](/README.md)
- [kubeflow各组件介绍](/docs/introduction.md)
- [问题汇总](/docs/problems.md)
## 安装步骤
### 安装k8s
如果已经有k8s集群,这一步可以跳过,直接到[kubeflow安装](https://github.com/shikanon/kubeflow-manifests#%E5%AE%89%E8%A3%85kubeflow)。
**kind安装k8s集群**
下载[kind工具](https://github.com/kubernetes-sigs/kind/tags)
使用kind安装k8s集群:
```bash
$ kind create cluster --config=kind/kind-config.yaml --name=kubeflow --image=kindest/node:v1.16.15
```
启动成功后可以看到开了一个30000端口:
```bash
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5f67af713e28 kindest/node:v1.19.1 "/usr/local/bin/entr…" 3 minutes ago Up 3 minutes 0.0.0.0:30000->30000/tcp, 127.0.0.1:56682->6443/tcp kubeflow-control-plane
```
由于 kubeflow 实验组件较多,最好准备机器的最低配置能够大于*CPU8核,内存32G*以上。
### 安装kubeflow
**2.启动**
```bash
$ python install.py
```
等待镜像拉取,由于涉及的镜像比较多,要20~30分钟左右,可以通过命令查看是否就绪:
**3.查看结果**
```
$ kubectl get pod -nkubeflow
NAME READY STATUS RESTARTS AGE
admission-webhook-deployment-6fb9d65887-pzvgc 1/1 Running 0 19h
cache-deployer-deployment-7558d65bf4-jhgwg 2/2 Running 1 3h54m
cache-server-c64c68ddf-lx7xq 2/2 Running 0 3h54m
centraldashboard-7b7676d8bd-g2s8j 1/1 Running 0 4h46m
jupyter-web-app-deployment-66f74586d9-scbsm 1/1 Running 0 3h4m
katib-controller-77675c88df-mx4rh 1/1 Running 0 19h
katib-db-manager-646695754f-z797r 1/1 Running 0 19h
katib-mysql-5bb5bd9957-gbl5t 1/1 Running 0 19h
katib-ui-55fd4bd6f9-r98r2 1/1 Running 0 19h
kfserving-controller-manager-0 2/2 Running 0 19h
kubeflow-pipelines-profile-controller-5698bf57cf-dhtsj 1/1 Running 0 3h52m
metacontroller-0 1/1 Running 0 4h52m
metadata-envoy-deployment-76d65977f7-rmlzc 1/1 Running 0 4h52m
metadata-grpc-deployment-697d9c6c67-j6dl2 2/2 Running 3 4h52m
metadata-writer-58cdd57678-8t6gw 2/2 Running 1 4h52m
minio-6d6784db95-tqs77 2/2 Running 0 4h45m
ml-pipeline-85fc99f899-plsz2 2/2 Running 1 4h52m
ml-pipeline-persistenceagent-65cb9594c7-xvn4j 2/2 Running 1 4h52m
ml-pipeline-scheduledworkflow-7f8d8dfc69-7wfs4 2/2 Running 0 4h52m
ml-pipeline-ui-5c765cc7bd-4r2j7 2/2 Running 0 4h52m
ml-pipeline-viewer-crd-5b8df7f458-5b8qg 2/2 Running 1 4h52m
ml-pipeline-visualizationserver-56c5ff68d5-92bkf 2/2 Running 0 4h52m
mpi-operator-789f88879-n4xms 1/1 Running 0 19h
mxnet-operator-7fff864957-vq2bg 1/1 Running 0 19h
mysql-56b554ff66-kd7bd 2/2 Running 0 4h45m
notebook-controller-deployment-74d9584477-qhpp8 1/1 Running 0 19h
profiles-deployment-67b4666796-k7t2h 2/2 Running 0 19h
pytorch-operator-fd86f7694-dxbgf 2/2 Running 0 19h
tensorboard-controller-controller-manager-fd6bcffb4-k9qvx 3/3 Running 1 19h
tensorboards-web-app-deployment-78d7b8b658-dktc6 1/1 Running 0 19h
tf-job-operator-7bc5cf4cc7-gk8tz 1/1 Running 0 19h
volumes-web-app-deployment-68fcfc9775-bz9gq 1/1 Running 0 19h
workflow-controller-566998f76b-2v2kq 2/2 Running 1 4h52m
xgboost-operator-deployment-5c7bfd57cc-9rtq6 2/2 Running 1 19h
```
如果所有pod 都running了表示安装完了。
*注:除了kubeflow命名空间,该一键安装工具也会安装istio,knative,因此也要保证这两个命名空间下的服务全部running*
*如果你的mysql没启动成功,可以运行kubectl apply -f database-patch/mysql-persistent-storage.yaml*
全部pod running后,可以访问本地的30000端口(istio-ingressgateway设置了nodeport为30000端口),就可以看到登录界面了:
输入账号密码即可登录,这里的账号密码可以通过`patch/auth.yaml`进行更改。
默认的用户名是`admin@example.com`,密码是`password`
登录后进入kubeflow界面:
### 删除kubeflow资源
```bash
kind delete cluster --name kubeflow
```
**如果不希望流量鉴权,可以把istio的authorizationpolicies全部删除**
```bash
kubectl delete authorizationpolicies --all -A
```
================================================
FILE: database-patch/mysql-persistent-storage.yaml
================================================
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mysql
application-crd-id: kubeflow-pipelines
name: mysql
namespace: kubeflow
spec:
selector:
matchLabels:
app: mysql
application-crd-id: kubeflow-pipelines
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --ignore-db-dir=lost+found
- --datadir
- /var/lib/mysql
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "true"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-mysql:5.7-f8fcd
name: mysql
ports:
- containerPort: 3306
name: mysql
resources:
requests:
cpu: 100m
memory: 800Mi
volumeMounts:
- mountPath: /var/lib/mysql
name: mysql-persistent-storage
serviceAccountName: mysql
volumes:
- name: mysql-persistent-storage
emptyDir:
{}
================================================
FILE: docs/introduction.md
================================================
# Introduction
---
可以看到新版的kubeflow多了很多功能。
这里按模块介绍下 Kubeflow 的几个核心组件。
- Notebook Servers,作为一个管理线上交互实验的记录工具,可以帮助算法人员快速完成算法实验,同时notebook server 提供了统一的文档管理能力。
- AutoML,提供自动化的服务,对特征处理、特征选择、模型选择、模型参数的配置、模型训练和评估等方面,实现了全自动建模,降低算法人员手动实验次数。
- Pipeline,提供一个算法流水线的工程化工具,将算法各流程模块以拓扑图的形式组合起来,同时结合 argo 可以实现 MLOps。
- Serverless,将模型直接发布成一个对外的服务,缩短从实验到生产的路径。
## Notebook Servers
notebook 可以说是做机器学习最喜欢用到的工具了,完美的将动态语言的交互性发挥出来,kubeflow 提供了 jupyter notebook 来快速构建云上的实验环境,这里以一个我们自定义的镜像为例:
我们创建了一个`test-for-jupyter`名字的镜像,配置了一个 tensorflow 的镜像,点击启动,我们可以看到在`kubeflow-user-example-com`命名空间下已经创建我们的应用了:
```bash
kubectl get po -nkubeflow-user-example-com
NAME READY STATUS RESTARTS AGE
ml-pipeline-ui-artifact-6d7ffcc4b6-9kxkk 2/2 Running 0 48m
ml-pipeline-visualizationserver-84d577b989-5hl46 2/2 Running 0 48m
test-for-jupyter-0 0/2 PodInitializing 0 44s
```
创建完成后点击 connect 就可以进入我们创建的应用界面中了
在 jupyterlab 环境中开发人员可以很方便的进行算法实验,同时由于运行在云上利用 k8s api甚至可以很方便构建k8s资源,比如通过 kfserving 创建一个ML服务。
## AutoML
AutoML 是机器学习比较热的领域,主要用来模型自动优化和超参数调整,这里其实是用的 Katib来实现的,一个基于k8s的 AutoML 项目,详细见https://github.com/kubeflow/katib。
Katib 主要提供了 超参数调整(Hyperparameter Tuning),早停法(Early Stopping)和神经网络架构搜索(Neural Architecture Search)
这里以一个随机搜索算法为例:
```yaml
apiVersion: "kubeflow.org/v1beta1"
kind: Experiment
metadata:
namespace: kubeflow-user-example-com
name: random-example
spec:
objective:
type: maximize
goal: 0.99
objectiveMetricName: Validation-accuracy
additionalMetricNames:
- Train-accuracy
algorithm:
algorithmName: random
parallelTrialCount: 3
maxTrialCount: 12
maxFailedTrialCount: 3
parameters:
- name: lr
parameterType: double
feasibleSpace:
min: "0.01"
max: "0.03"
- name: num-layers
parameterType: int
feasibleSpace:
min: "2"
max: "5"
- name: optimizer
parameterType: categorical
feasibleSpace:
list:
- sgd
- adam
- ftrl
trialTemplate:
primaryContainerName: training-container
trialParameters:
- name: learningRate
description: Learning rate for the training model
reference: lr
- name: numberLayers
description: Number of training model layers
reference: num-layers
- name: optimizer
description: Training model optimizer (sdg, adam or ftrl)
reference: optimizer
trialSpec:
apiVersion: batch/v1
kind: Job
spec:
template:
spec:
containers:
- name: training-container
image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727
command:
- "python3"
- "/opt/mxnet-mnist/mnist.py"
- "--batch-size=64"
- "--lr=${trialParameters.learningRate}"
- "--num-layers=${trialParameters.numberLayers}"
- "--optimizer=${trialParameters.optimizer}"
restartPolicy: Never
```
这里以一个简单的神经网络为例,该程序具有三个参数 lr, num-layers, optimizer,采用的算法是随机搜索,目标是最大化准确率(accuracy)。
可以直接在界面中填上yaml文件,然后提交,完成后会生成一张各参数和准确率的关系图和训练列表:
## Experiments and Pipelines
experiments 为我们提供了一个可以创建实验空间功能, `pipeline` 定义了算法组合的模板,通过 `pipeline` 我们可以将算法中各处理模块按特定的拓扑图的方式组合起来。
这里可以看看官方提供的几个 pipeline 例子:
kubeflow `pipeline` 本质是基于 argo `workflow` 实现,**由于我们的kubeflow是基于kind上构建的,容器运行时用的containerd,而workflow默认的pipeline执行器是docker,因此有些特性不兼容**,这块可以见 argo workflow 官方说明:https://argoproj.github.io/argo-workflows/workflow-executors/。
这里我是把 workflow 的 `containerRuntimeExecutor` 改成了 `k8sapi`。但 `k8sapi` 由于在 workflow 是二级公民,因此有些功能不能用,比如 kubeflow pipeline 在 input/output 的 artifacts 需要用到 `docker cp` 命令,可以参考这个issue: https://github.com/argoproj/argo-workflows/issues/2685#issuecomment-613632304
由于以上原因 kubeflow 默认给的几个案例并没有用 volumes 是无法在 kind 中运行起来,这里我们基于 argo workflow 语法自己实现一个 `pipeline`
### 基于pipeline构建一个的工作流水
**第一步,构建一个 workflow pipeline 文件:**
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: kubeflow-test-
spec:
entrypoint: kubeflow-test
templates:
- name: kubeflow-test
dag:
tasks:
- name: print-text
template: print-text
dependencies: [repeat-line]
- {name: repeat-line, template: repeat-line}
- name: repeat-line
container:
args: [--line, Hello, --count, '15', --output-text, /gotest/outputs/output_text/data]
command:
- sh
- -ec
- |
program_path=$(mktemp)
printf "%s" "$0" > "$program_path"
python3 -u "$program_path" "$@"
- |
def _make_parent_dirs_and_return_path(file_path: str):
import os
os.makedirs(os.path.dirname(file_path), exist_ok=True)
return file_path
def repeat_line(line, output_text_path, count = 10):
'''Repeat the line specified number of times'''
with open(output_text_path, 'w') as writer:
for i in range(count):
writer.write(line + '\n')
import argparse
_parser = argparse.ArgumentParser(prog='Repeat line', description='Repeat the line specified number of times')
_parser.add_argument("--line", dest="line", type=str, required=True, default=argparse.SUPPRESS)
_parser.add_argument("--count", dest="count", type=int, required=False, default=argparse.SUPPRESS)
_parser.add_argument("--output-text", dest="output_text_path", type=_make_parent_dirs_and_return_path, required=True, default=argparse.SUPPRESS)
_parsed_args = vars(_parser.parse_args())
_outputs = repeat_line(**_parsed_args)
image: python:3.7
volumeMounts:
- name: workdir
mountPath: /gotest/outputs/output_text/
volumes:
- name: workdir
persistentVolumeClaim:
claimName: kubeflow-test-pv
metadata:
annotations:
- name: print-text
container:
args: [--text, /gotest/outputs/output_text/data]
command:
- sh
- -ec
- |
program_path=$(mktemp)
printf "%s" "$0" > "$program_path"
python3 -u "$program_path" "$@"
- |
def print_text(text_path): # The "text" input is untyped so that any data can be printed
'''Print text'''
with open(text_path, 'r') as reader:
for line in reader:
print(line, end = '')
import argparse
_parser = argparse.ArgumentParser(prog='Print text', description='Print text')
_parser.add_argument("--text", dest="text_path", type=str, required=True, default=argparse.SUPPRESS)
_parsed_args = vars(_parser.parse_args())
_outputs = print_text(**_parsed_args)
image: python:3.7
volumeMounts:
- name: workdir
mountPath: /gotest/outputs/output_text/
volumes:
- name: workdir
persistentVolumeClaim:
claimName: kubeflow-test-pv
metadata:
annotations:
```
argo workflow 的语法可以参考:https://argoproj.github.io/argo-workflows/variables/
这里我们定义了两个任务 repeat-line 和 print-text, repeat-line 任务会将生产结果写入 `kubeflow-test-pv` 的 PVC 中, print-text 会从 PVC 中读取数据输出到 stdout。
这里由于用到 PVC,我们需要先在集群中创建一个`kubeflow-test-pv`的PVC:
```yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kubeflow-test-pv
namespace: kubeflow-user-example-com
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 128Mi
```
**第二步,定义好 pipeline 文件后可以创建pipeline:**
**第三步,启动一个pipeline:**
启动 pipeline 除了单次运行模式 one-off,也支持定时器循环模式 Recurring,这块可以根据自己的需求确定。
**查看运行结果:**
运行完后,可以将实验进行归档(Archived)。
## 关于 MLOps 的一点思考
我们来看一个简单的 ML 运作流程:
这是一个 google 提供的 level 1 级别的机器学习流水线自动化,整个流水线包括以下几部分:
- 构建快速算法实验的环境(experimentation),这里的步骤已经过编排,各个步骤之间的转换是自动执行的,这样可以快速迭代实验,并更好地准备将整个流水线移至生产环境,在这个环境中算法研究员只进行模块内部的工作。
- 构建可复用的生产环境流水线,组件的源代码模块化,实验环境模块化流水线可以直接在 staging 环境和 production 环境中使用。
- 持续交付模型,生产环境中的机器学习流水线会向使用新数据进行训练的新模型持续交付预测服务。
基于上述功能描述我们其实可以基于 kubeflow 的 `pipeline` 和 `kfserving` 功能轻松实现一个简单的 MLOps 流水线发布流程。不过,值得注意的是,DevOps 本身并不仅仅是一种技术,同时是一种工程文化,所以在实践落地中需要团队各方的协同分阶段的落地。这块可以参考[《MLOps: Continuous delivery and automation pipelines in machine learning》](https://cloud.google.com/architecture/mlops-continuous-delivery-and-automation-pipelines-in-machine-learning)和[《Hidden Technical Debt in Machine Learning Systems》](https://papers.nips.cc/paper/2015/file/86df7dcfd896fcaf2674f757a2463eba-Paper.pdf)
# 参考文献
- https://www.tensorflow.org/tutorials/quickstart/beginner
- https://github.com/dexidp/dex
- https://github.com/kubeflow/kfserving/tree/master/docs
- https://argoproj.github.io/argo-workflows/workflow-executors/
- https://github.com/shikanon/kubeflow-manifests
- https://argoproj.github.io/argo-workflows/variables/
- https://cloud.google.com/architecture/mlops-continuous-delivery-and-automation-pipelines-in-machine-learning
================================================
FILE: docs/problems.md
================================================
# 问题汇总
1. 没有 namespace, Experiments 报错。
这种是 `profile` 设置问题。
由于官方使用的是`user@example.com`创建命名空间`kubeflow-user-example-com`,这里在`patch`改成了`admin@example.com`
,当命名空间已经创建后,就会报错,一般我们查看 profiles-deployment 日志,会看到:
```bash
2021-05-19T06:41:43.069Z INFO controllers.Profile namespace already exist, but not owned by profile creator admin@example.com {"profile": "/kubeflow-user-example-com"}
2021-05-19T06:41:43.077Z DEBUG controller Successfully Reconciled {"reconcilerGroup": "kubeflow.org", "reconcilerKind": "Profile", "controller": "profile", "name": "kubeflow-user-example-com", "namespace": ""}
```
这时候只需要删除`profile`命名空间`kubeflow-user-example-com`,重新生产`profile`即可。
```bash
kubectl delete -f patch/auth.yaml
kubectl delete ns kubeflow-user-example-com
kubectl apply -f patch/auth.yaml
```
2. 运行 pipeline 报错,错误显示`xxx is not implemented in the k8sapi executor`
这个错误是由于 kind 集群创建的 k8s 集群容器运行时用的containerd,而workflow默认的pipeline执行器是docker,因此有些特性不兼容。如果你的 k8s 集群是自己基于docker runtime 搭建的,可以将`patch/workflow-controller.yaml`的`containerRuntimeExecutor`改为`docker`,这样就不存在兼容性问题了。
详细见:
https://github.com/argoproj/argo-workflows/issues/2685#issuecomment-613632304
https://argoproj.github.io/argo-workflows/workflow-executors/
================================================
FILE: example/kitab-random-example.yaml
================================================
apiVersion: "kubeflow.org/v1beta1"
kind: Experiment
metadata:
namespace: kubeflow-user-example-com
name: random-example
spec:
objective:
type: maximize
goal: 0.99
objectiveMetricName: Validation-accuracy
additionalMetricNames:
- Train-accuracy
algorithm:
algorithmName: random
parallelTrialCount: 3
maxTrialCount: 12
maxFailedTrialCount: 3
parameters:
- name: lr
parameterType: double
feasibleSpace:
min: "0.01"
max: "0.03"
- name: num-layers
parameterType: int
feasibleSpace:
min: "2"
max: "5"
- name: optimizer
parameterType: categorical
feasibleSpace:
list:
- sgd
- adam
- ftrl
trialTemplate:
primaryContainerName: training-container
trialParameters:
- name: learningRate
description: Learning rate for the training model
reference: lr
- name: numberLayers
description: Number of training model layers
reference: num-layers
- name: optimizer
description: Training model optimizer (sdg, adam or ftrl)
reference: optimizer
trialSpec:
apiVersion: batch/v1
kind: Job
spec:
template:
spec:
containers:
- name: training-container
image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727
command:
- "python3"
- "/opt/mxnet-mnist/mnist.py"
- "--batch-size=64"
- "--lr=${trialParameters.learningRate}"
- "--num-layers=${trialParameters.numberLayers}"
- "--optimizer=${trialParameters.optimizer}"
restartPolicy: Never
================================================
FILE: install.py
================================================
#!/bin/python
#coding:utf-8
import os
import subprocess
import sys
import time
def install(path):
for root,path,files in os.walk(path):
files = sorted(files)
for f in files:
installfile = root + "/" + f
cmd = "kubectl apply -f {installfile}".format(installfile=installfile)
print(cmd)
p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE)
out = p.stdout.read()
print(out)
time.sleep(10)
'''
因为一些patch安装涉及到的一些修改需要重启pod,所以先删除再安装
'''
def patchInstall(path):
print("start to patch...")
for root,path,files in os.walk(path):
files = sorted(files)
for f in files:
installfile = root + "/" + f
cmd_delete = "kubectl delete -f {installfile}".format(installfile=installfile)
p = subprocess.Popen(cmd_delete,shell=True,stdout=subprocess.PIPE)
out = p.stdout.read()
print(out)
cmd_apply = "kubectl apply -f {installfile}".format(installfile=installfile)
p = subprocess.Popen(cmd_apply,shell=True,stdout=subprocess.PIPE)
out = p.stdout.read()
print(out)
# 安装文件
path = "./manifest1.3"
install(path)
# 安装patch
patchPath = "./patch"
patchInstall(patchPath)
================================================
FILE: kind/kind-config.yaml
================================================
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 30000
hostPort: 30000
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
protocol: tcp # Optional, defaults to tcp
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
================================================
FILE: local-path/local-path-storage.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
name: local-path-storage
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: local-path-provisioner-service-account
namespace: local-path-storage
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: local-path-provisioner-role
rules:
- apiGroups: [""]
resources: ["nodes", "persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "persistentvolumes", "pods"]
verbs: ["*"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: local-path-provisioner-bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: local-path-provisioner-role
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: local-path-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: local-path-provisioner
namespace: local-path-storage
spec:
replicas: 1
selector:
matchLabels:
app: local-path-provisioner
template:
metadata:
labels:
app: local-path-provisioner
spec:
serviceAccountName: local-path-provisioner-service-account
containers:
- name: local-path-provisioner
image: rancher/local-path-provisioner:v0.0.11
imagePullPolicy: IfNotPresent
command:
- local-path-provisioner
- --debug
- start
- --config
- /etc/config/config.json
volumeMounts:
- name: config-volume
mountPath: /etc/config/
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumes:
- name: config-volume
configMap:
name: local-path-config
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-path
annotations: #添加为默认StorageClass
storageclass.beta.kubernetes.io/is-default-class: "true"
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Delete
---
kind: ConfigMap
apiVersion: v1
metadata:
name: local-path-config
namespace: local-path-storage
data:
config.json: |-
{
"nodePathMap":[
{
"node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
"paths":["/opt/local-path-provisioner"]
}
]
}
================================================
FILE: manifest1.3/001-cert-manager-cert-manager-kube-system-resources-base.yaml
================================================
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: cainjector
kustomize.component: cert-manager
name: cert-manager-cainjector:leaderelection
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: cert-manager
kustomize.component: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: cainjector
kustomize.component: cert-manager
name: cert-manager-cainjector:leaderelection
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: webhook
kustomize.component: cert-manager
name: cert-manager-webhook:webhook-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: cert-manager
kustomize.component: cert-manager
name: cert-manager:leaderelection
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: v1
data:
certManagerNamespace: cert-manager
kind: ConfigMap
metadata:
labels:
kustomize.component: cert-manager
name: cert-manager-kube-params-parameters
namespace: kube-system
================================================
FILE: manifest1.3/002-cert-manager-cert-manager-crds-base.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificaterequests.cert-manager.io
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
names:
kind: CertificateRequest
listKind: CertificateRequestList
plural: certificaterequests
shortNames:
- cr
- crs
singular: certificaterequest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: CertificateRequest is a type to represent a Certificate Signing Request
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CertificateRequestSpec defines the desired state of CertificateRequest
properties:
csr:
description: Byte slice containing the PEM encoded CertificateSigningRequest
format: byte
type: string
duration:
description: Requested certificate default Duration
type: string
isCA:
description: IsCA will mark the resulting certificate as valid for signing. This implies that the 'cert sign' usage is set
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to 'cert-manager.io' if empty.
properties:
group:
type: string
kind:
type: string
name:
type: string
required:
- name
type: object
usages:
description: Usages is the set of x509 actions that are enabled for a given key. Defaults are ('digital signature', 'key encipherment') if empty
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
type: string
type: array
required:
- issuerRef
type: object
status:
description: CertificateStatus defines the observed state of CertificateRequest and resulting signed certificate.
properties:
ca:
description: Byte slice containing the PEM encoded certificate authority of the signed certificate.
format: byte
type: string
certificate:
description: Byte slice containing a PEM encoded signed certificate resulting from the given certificate signing request.
format: byte
type: string
conditions:
items:
description: CertificateRequestCondition contains condition information for a CertificateRequest.
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
format: date-time
type: string
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False', 'Unknown').
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: Type of the condition, currently ('Ready').
type: string
required:
- status
- type
type: object
type: array
failureTime:
description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
format: date-time
type: string
type: object
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.cert-manager.io
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .spec.secretName
name: Secret
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
names:
kind: Certificate
listKind: CertificateList
plural: certificates
shortNames:
- cert
- certs
singular: certificate
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: Certificate is a type to represent a Certificate from ACME
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CertificateSpec defines the desired state of Certificate. A valid Certificate requires at least one of a CommonName, DNSName, or URISAN to be valid.
properties:
commonName:
description: CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs.
type: string
dnsNames:
description: DNSNames is a list of subject alt names to be used on the Certificate.
items:
type: string
type: array
duration:
description: Certificate default Duration
type: string
ipAddresses:
description: IPAddresses is a list of IP addresses to be used on the Certificate
items:
type: string
type: array
isCA:
description: IsCA will mark this Certificate as valid for signing. This implies that the 'cert sign' usage is set
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this certificate. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the Certificate will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times.
properties:
group:
type: string
kind:
type: string
name:
type: string
required:
- name
type: object
keyAlgorithm:
description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is not provided, key size of 256 will be used for "ecdsa" key algorithm and key size of 2048 will be used for "rsa" key algorithm.
enum:
- rsa
- ecdsa
type: string
keyEncoding:
description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then PKCS#1 will be used by default.
enum:
- pkcs1
- pkcs8
type: string
keySize:
description: KeySize is the key bit size of the corresponding private key for this certificate. If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", and value must be one of (256, 384, 521) when KeyAlgorithm is set to "ecdsa".
type: integer
organization:
description: Organization is the organization to be used on the Certificate
items:
type: string
type: array
renewBefore:
description: Certificate renew before expiration duration
type: string
secretName:
description: SecretName is the name of the secret resource to store this secret in
type: string
uriSANs:
description: URISANs is a list of URI Subject Alternative Names to be set on this Certificate.
items:
type: string
type: array
usages:
description: Usages is the set of x509 actions that are enabled for a given key. Defaults are ('digital signature', 'key encipherment') if empty
items:
description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
enum:
- signing
- digital signature
- content commitment
- key encipherment
- key agreement
- data encipherment
- cert sign
- crl sign
- encipher only
- decipher only
- any
- server auth
- client auth
- code signing
- email protection
- s/mime
- ipsec end system
- ipsec tunnel
- ipsec user
- timestamping
- ocsp signing
- microsoft sgc
- netscape sgc
type: string
type: array
required:
- issuerRef
- secretName
type: object
status:
description: CertificateStatus defines the observed state of Certificate
properties:
conditions:
items:
description: CertificateCondition contains condition information for an Certificate.
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
format: date-time
type: string
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False', 'Unknown').
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: Type of the condition, currently ('Ready').
type: string
required:
- status
- type
type: object
type: array
lastFailureTime:
format: date-time
type: string
notAfter:
description: The expiration time of the certificate stored in the secret named by this resource in spec.secretName.
format: date-time
type: string
type: object
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: challenges.acme.cert-manager.io
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
names:
kind: Challenge
listKind: ChallengeList
plural: challenges
singular: challenge
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: Challenge is a type to represent a Challenge request with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
authzURL:
description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
type: string
dnsName:
description: DNSName is the identifier that this challenge is for, e.g. example.com.
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
properties:
group:
type: string
kind:
type: string
name:
type: string
required:
- name
type: object
key:
description: Key is the ACME challenge key for this challenge
type: string
solver:
description: Solver contains the domain solving configuration that should be used to solve this challenge resource. Only **one** of 'config' or 'solver' may be specified, and if both are specified then no action will be performed on the Challenge resource.
properties:
dns01:
properties:
acmedns:
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers
properties:
accountSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
host:
type: string
required:
- accountSecretRef
- host
type: object
akamai:
description: ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API
properties:
accessTokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
clientSecretSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
clientTokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
serviceConsumerDomain:
type: string
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
type: object
azuredns:
description: ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS
properties:
clientID:
type: string
clientSecretSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
environment:
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
type: string
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
type: string
required:
- clientID
- clientSecretSecretRef
- resourceGroupName
- subscriptionID
- tenantID
type: object
clouddns:
description: ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS
properties:
project:
type: string
serviceAccountSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- project
- serviceAccountSecretRef
type: object
cloudflare:
description: ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare
properties:
apiKeySecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
email:
type: string
required:
- apiKeySecretRef
- email
type: object
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
enum:
- None
- Follow
type: string
digitalocean:
description: ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains
properties:
tokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- tokenSecretRef
type: object
rfc2136:
description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS
properties:
nameserver:
description: 'The IP address of the DNS supporting RFC2136. Required. Note: FQDN is not a valid value, only IP.'
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" are defined. Supported values are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or ""HMACSHA512"".'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS. If ""tsigSecretSecretRef"" is defined, this field is required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG value. If ""tsigKeyName"" is defined, this field is required.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- nameserver
type: object
route53:
description: ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- region
type: object
webhook:
description: ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.
properties:
config:
description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
type: string
required:
- groupName
- solverName
type: object
type: object
http01:
description: ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.
properties:
ingress:
description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
properties:
class:
description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
type: string
name:
description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
properties:
metadata:
description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
type: object
spec:
description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'nodeSelector', 'affinity' and 'tolerations' fields are supported currently. All other fields will be ignored.
properties:
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
items:
description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms. The terms are ORed.
items:
description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
nodeSelector:
additionalProperties:
type: string
description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
tolerations:
description: If specified, the pod's tolerations.
items:
description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
properties:
effect:
description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
type: object
serviceType:
description: Optional service type for Kubernetes solver service
type: string
type: object
type: object
selector:
description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver.
properties:
dnsNames:
description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
items:
type: string
type: array
dnsZones:
description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
items:
type: string
type: array
matchLabels:
additionalProperties:
type: string
description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
type: object
type: object
type: object
token:
description: Token is the ACME challenge token for this challenge.
type: string
type:
description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01"
type: string
url:
description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
type: string
wildcard:
description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'
type: boolean
required:
- authzURL
- dnsName
- issuerRef
- key
- token
- type
- url
type: object
status:
properties:
presented:
description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
type: boolean
processing:
description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
type: boolean
reason:
description: Reason contains human readable information on why the Challenge is in the current state.
type: string
state:
description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
type: object
required:
- metadata
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.cert-manager.io
spec:
group: cert-manager.io
names:
kind: ClusterIssuer
listKind: ClusterIssuerList
plural: clusterissuers
singular: clusterissuer
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.
properties:
acme:
description: ACMEIssuer contains the specification for an ACME issuer
properties:
email:
description: Email is the email for this account
type: string
privateKeySecretRef:
description: PrivateKey is the name of a secret containing the private key for this user account.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
server:
description: Server is the ACME server URL
type: string
skipTLSVerify:
description: If true, skip verifying the ACME server TLS certificate
type: boolean
solvers:
description: Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains.
items:
properties:
dns01:
properties:
acmedns:
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers
properties:
accountSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
host:
type: string
required:
- accountSecretRef
- host
type: object
akamai:
description: ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API
properties:
accessTokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
clientSecretSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
clientTokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
serviceConsumerDomain:
type: string
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
type: object
azuredns:
description: ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS
properties:
clientID:
type: string
clientSecretSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
environment:
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
type: string
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
type: string
required:
- clientID
- clientSecretSecretRef
- resourceGroupName
- subscriptionID
- tenantID
type: object
clouddns:
description: ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS
properties:
project:
type: string
serviceAccountSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- project
- serviceAccountSecretRef
type: object
cloudflare:
description: ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare
properties:
apiKeySecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
email:
type: string
required:
- apiKeySecretRef
- email
type: object
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
enum:
- None
- Follow
type: string
digitalocean:
description: ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains
properties:
tokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- tokenSecretRef
type: object
rfc2136:
description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS
properties:
nameserver:
description: 'The IP address of the DNS supporting RFC2136. Required. Note: FQDN is not a valid value, only IP.'
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" are defined. Supported values are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or ""HMACSHA512"".'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS. If ""tsigSecretSecretRef"" is defined, this field is required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG value. If ""tsigKeyName"" is defined, this field is required.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- nameserver
type: object
route53:
description: ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- region
type: object
webhook:
description: ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.
properties:
config:
description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
type: string
required:
- groupName
- solverName
type: object
type: object
http01:
description: ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.
properties:
ingress:
description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
properties:
class:
description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
type: string
name:
description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
properties:
metadata:
description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
type: object
spec:
description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'nodeSelector', 'affinity' and 'tolerations' fields are supported currently. All other fields will be ignored.
properties:
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
items:
description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms. The terms are ORed.
items:
description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
nodeSelector:
additionalProperties:
type: string
description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
tolerations:
description: If specified, the pod's tolerations.
items:
description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
properties:
effect:
description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
type: object
serviceType:
description: Optional service type for Kubernetes solver service
type: string
type: object
type: object
selector:
description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver.
properties:
dnsNames:
description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
items:
type: string
type: array
dnsZones:
description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
items:
type: string
type: array
matchLabels:
additionalProperties:
type: string
description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
type: object
type: object
type: object
type: array
required:
- privateKeySecretRef
- server
type: object
ca:
properties:
secretName:
description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
type: string
required:
- secretName
type: object
selfSigned:
type: object
vault:
properties:
auth:
description: Vault authentication
properties:
appRole:
description: This Secret contains a AppRole and Secret
properties:
path:
description: Where the authentication path is mounted in Vault.
type: string
roleId:
type: string
secretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- path
- roleId
- secretRef
type: object
kubernetes:
description: This contains a Role and Secret with a ServiceAccount token to authenticate with vault.
properties:
mountPath:
description: The value here will be used as part of the path used when authenticating with vault, for example if you set a value of "foo", the path used will be "/v1/auth/foo/login". If unspecified, the default value "kubernetes" will be used.
type: string
role:
description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
type: string
secretRef:
description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- role
- secretRef
type: object
tokenSecretRef:
description: This Secret contains the Vault token key
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
type: object
caBundle:
description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
path:
description: Vault URL path to the certificate role
type: string
server:
description: Server is the vault connection address
type: string
required:
- auth
- path
- server
type: object
venafi:
description: VenafiIssuer describes issuer configuration details for Venafi Cloud.
properties:
cloud:
description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
properties:
apiTokenSecretRef:
description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
url:
description: URL is the base URL for Venafi Cloud
type: string
required:
- apiTokenSecretRef
- url
type: object
tpp:
description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
properties:
caBundle:
description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
format: byte
type: string
credentialsRef:
description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
url:
description: URL is the base URL for the Venafi TPP instance
type: string
required:
- credentialsRef
- url
type: object
zone:
description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
type: string
required:
- zone
type: object
type: object
status:
description: IssuerStatus contains status information about an Issuer
properties:
acme:
properties:
lastRegisteredEmail:
description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
type: string
uri:
description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
type: string
type: object
conditions:
items:
description: IssuerCondition contains condition information for an Issuer.
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
format: date-time
type: string
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False', 'Unknown').
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: Type of the condition, currently ('Ready').
type: string
required:
- status
- type
type: object
type: array
type: object
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.cert-manager.io
spec:
group: cert-manager.io
names:
kind: Issuer
listKind: IssuerList
plural: issuers
singular: issuer
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.
properties:
acme:
description: ACMEIssuer contains the specification for an ACME issuer
properties:
email:
description: Email is the email for this account
type: string
privateKeySecretRef:
description: PrivateKey is the name of a secret containing the private key for this user account.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
server:
description: Server is the ACME server URL
type: string
skipTLSVerify:
description: If true, skip verifying the ACME server TLS certificate
type: boolean
solvers:
description: Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains.
items:
properties:
dns01:
properties:
acmedns:
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers
properties:
accountSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
host:
type: string
required:
- accountSecretRef
- host
type: object
akamai:
description: ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API
properties:
accessTokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
clientSecretSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
clientTokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
serviceConsumerDomain:
type: string
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
type: object
azuredns:
description: ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS
properties:
clientID:
type: string
clientSecretSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
environment:
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
type: string
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
type: string
required:
- clientID
- clientSecretSecretRef
- resourceGroupName
- subscriptionID
- tenantID
type: object
clouddns:
description: ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS
properties:
project:
type: string
serviceAccountSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- project
- serviceAccountSecretRef
type: object
cloudflare:
description: ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare
properties:
apiKeySecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
email:
type: string
required:
- apiKeySecretRef
- email
type: object
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
enum:
- None
- Follow
type: string
digitalocean:
description: ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains
properties:
tokenSecretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- tokenSecretRef
type: object
rfc2136:
description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS
properties:
nameserver:
description: 'The IP address of the DNS supporting RFC2136. Required. Note: FQDN is not a valid value, only IP.'
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" are defined. Supported values are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or ""HMACSHA512"".'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS. If ""tsigSecretSecretRef"" is defined, this field is required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG value. If ""tsigKeyName"" is defined, this field is required.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- nameserver
type: object
route53:
description: ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- region
type: object
webhook:
description: ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.
properties:
config:
description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
type: string
required:
- groupName
- solverName
type: object
type: object
http01:
description: ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.
properties:
ingress:
description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
properties:
class:
description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
type: string
name:
description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
properties:
metadata:
description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
type: object
spec:
description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'nodeSelector', 'affinity' and 'tolerations' fields are supported currently. All other fields will be ignored.
properties:
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
items:
description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms. The terms are ORed.
items:
description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
nodeSelector:
additionalProperties:
type: string
description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
tolerations:
description: If specified, the pod's tolerations.
items:
description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
properties:
effect:
description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
type: object
serviceType:
description: Optional service type for Kubernetes solver service
type: string
type: object
type: object
selector:
description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver.
properties:
dnsNames:
description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
items:
type: string
type: array
dnsZones:
description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
items:
type: string
type: array
matchLabels:
additionalProperties:
type: string
description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
type: object
type: object
type: object
type: array
required:
- privateKeySecretRef
- server
type: object
ca:
properties:
secretName:
description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
type: string
required:
- secretName
type: object
selfSigned:
type: object
vault:
properties:
auth:
description: Vault authentication
properties:
appRole:
description: This Secret contains a AppRole and Secret
properties:
path:
description: Where the authentication path is mounted in Vault.
type: string
roleId:
type: string
secretRef:
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- path
- roleId
- secretRef
type: object
kubernetes:
description: This contains a Role and Secret with a ServiceAccount token to authenticate with vault.
properties:
mountPath:
description: The value here will be used as part of the path used when authenticating with vault, for example if you set a value of "foo", the path used will be "/v1/auth/foo/login". If unspecified, the default value "kubernetes" will be used.
type: string
role:
description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
type: string
secretRef:
description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
required:
- role
- secretRef
type: object
tokenSecretRef:
description: This Secret contains the Vault token key
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
type: object
caBundle:
description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
type: string
path:
description: Vault URL path to the certificate role
type: string
server:
description: Server is the vault connection address
type: string
required:
- auth
- path
- server
type: object
venafi:
description: VenafiIssuer describes issuer configuration details for Venafi Cloud.
properties:
cloud:
description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
properties:
apiTokenSecretRef:
description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
url:
description: URL is the base URL for Venafi Cloud
type: string
required:
- apiTokenSecretRef
- url
type: object
tpp:
description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
properties:
caBundle:
description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
format: byte
type: string
credentialsRef:
description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- name
type: object
url:
description: URL is the base URL for the Venafi TPP instance
type: string
required:
- credentialsRef
- url
type: object
zone:
description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
type: string
required:
- zone
type: object
type: object
status:
description: IssuerStatus contains status information about an Issuer
properties:
acme:
properties:
lastRegisteredEmail:
description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
type: string
uri:
description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
type: string
type: object
conditions:
items:
description: IssuerCondition contains condition information for an Issuer.
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
format: date-time
type: string
message:
description: Message is a human readable description of the details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False', 'Unknown').
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: Type of the condition, currently ('Ready').
type: string
required:
- status
- type
type: object
type: array
type: object
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: orders.acme.cert-manager.io
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.issuerRef.name
name: Issuer
priority: 1
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
names:
kind: Order
listKind: OrderList
plural: orders
singular: order
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: Order is a type to represent an Order with an ACME server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
commonName:
description: CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR.
type: string
csr:
description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
format: byte
type: string
dnsNames:
description: DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR.
items:
type: string
type: array
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
properties:
group:
type: string
kind:
type: string
name:
type: string
required:
- name
type: object
required:
- csr
- issuerRef
type: object
status:
properties:
authorizations:
description: Authorizations contains data returned from the ACME server on what authoriations must be completed in order to validate the DNS names specified on the Order.
items:
description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
properties:
challenges:
description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
items:
description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
properties:
token:
description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
type: string
type:
description: Type is the type of challenge being offered, e.g. http-01, dns-01
type: string
url:
description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
type: string
required:
- token
- type
- url
type: object
type: array
identifier:
description: Identifier is the DNS name to be validated as part of this authorization
type: string
url:
description: URL is the URL of the Authorization that must be completed
type: string
wildcard:
description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
type: boolean
required:
- url
type: object
type: array
certificate:
description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
format: byte
type: string
failureTime:
description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
format: date-time
type: string
finalizeURL:
description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
type: string
reason:
description: Reason optionally provides more information about a why the order is in the current state.
type: string
state:
description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
type: string
url:
description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
type: string
type: object
required:
- metadata
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
================================================
FILE: manifest1.3/003-cert-manager-overlays-self-signed.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager
namespace: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-cainjector
namespace: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cert-manager-edit
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: cert-manager-view
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook:webhook-requester
rules:
- apiGroups:
- admission.cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
- clusterissuers
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-cainjector
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- get
- create
- update
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-certificates
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificates/status
- certificaterequests
- certificaterequests/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- clusterissuers
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- certificates/finalizers
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-challenges
rules:
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
- challenges/status
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- issuers
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- extensions
- networking.k8s.io/v1
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- acme.cert-manager.io
resources:
- challenges/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-clusterissuers
rules:
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
- clusterissuers/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-ingress-shim
rules:
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
verbs:
- create
- update
- delete
- apiGroups:
- cert-manager.io
resources:
- certificates
- certificaterequests
- issuers
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io/v1
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io/v1
resources:
- ingresses/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-issuers
rules:
- apiGroups:
- cert-manager.io
resources:
- issuers
- issuers/status
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-orders
rules:
- apiGroups:
- acme.cert-manager.io
resources:
- orders
- orders/status
verbs:
- update
- apiGroups:
- acme.cert-manager.io
resources:
- orders
- challenges
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
- issuers
verbs:
- get
- list
- watch
- apiGroups:
- acme.cert-manager.io
resources:
- challenges
verbs:
- create
- delete
- apiGroups:
- acme.cert-manager.io
resources:
- orders/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-cainjector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-certificates
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-challenges
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-clusterissuers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-ingress-shim
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-issuers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-controller-orders
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager
---
apiVersion: v1
data:
namespace: cert-manager
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-parameters
namespace: cert-manager
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager
namespace: cert-manager
spec:
ports:
- port: 9402
protocol: TCP
targetPort: 9402
selector:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook
namespace: cert-manager
spec:
ports:
- name: https
port: 443
targetPort: 6443
selector:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager
namespace: cert-manager
spec:
replicas: 1
selector:
matchLabels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9402"
prometheus.io/scrape: "true"
labels:
app: cert-manager
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
spec:
containers:
- args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- --webhook-namespace=$(POD_NAMESPACE)
- --webhook-ca-secret=cert-manager-webhook-ca
- --webhook-serving-secret=cert-manager-webhook-tls
- --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/jetstack-cert-manager-controller:v0.11.0-f127a
imagePullPolicy: IfNotPresent
name: cert-manager
ports:
- containerPort: 9402
resources:
requests:
cpu: 10m
memory: 32Mi
serviceAccountName: cert-manager
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cainjector
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-cainjector
namespace: cert-manager
spec:
replicas: 1
selector:
matchLabels:
app: cainjector
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
template:
metadata:
annotations: null
labels:
app: cainjector
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
spec:
containers:
- args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/jetstack-cert-manager-cainjector:v0.11.0-26f79
imagePullPolicy: IfNotPresent
name: cainjector
resources: {}
serviceAccountName: cert-manager-cainjector
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook
namespace: cert-manager
spec:
replicas: 1
selector:
matchLabels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
template:
metadata:
annotations: null
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
spec:
containers:
- args:
- --v=2
- --secure-port=6443
- --tls-cert-file=/certs/tls.crt
- --tls-private-key-file=/certs/tls.key
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/jetstack-cert-manager-webhook:v0.11.0-18a2f
imagePullPolicy: IfNotPresent
name: cert-manager
resources: {}
volumeMounts:
- mountPath: /certs
name: certs
serviceAccountName: cert-manager-webhook
volumes:
- name: certs
secret:
secretName: cert-manager-webhook-tls
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: v1beta1.webhook.cert-manager.io
spec:
group: webhook.cert-manager.io
groupPriorityMinimum: 1000
service:
name: cert-manager-webhook
namespace: cert-manager
version: v1beta1
versionPriority: 15
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
labels:
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: kubeflow-self-signing-issuer
spec:
selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-apiserver-ca: "true"
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook
webhooks:
- clientConfig:
caBundle: ""
service:
name: kubernetes
namespace: default
path: /apis/webhook.cert-manager.io/v1beta1/mutations
failurePolicy: Fail
name: webhook.cert-manager.io
rules:
- apiGroups:
- cert-manager.io
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- certificates
- issuers
- clusterissuers
- orders
- challenges
- certificaterequests
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-apiserver-ca: "true"
labels:
app: webhook
app.kubernetes.io/component: cert-manager
app.kubernetes.io/name: cert-manager
kustomize.component: cert-manager
name: cert-manager-webhook
webhooks:
- clientConfig:
caBundle: ""
service:
name: kubernetes
namespace: default
path: /apis/webhook.cert-manager.io/v1beta1/validations
failurePolicy: Fail
name: webhook.certmanager.k8s.io
rules:
- apiGroups:
- cert-manager.io
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- certificates
- issuers
- clusterissuers
- certificaterequests
sideEffects: None
================================================
FILE: manifest1.3/004-istio-1-9-0-istio-crds-base.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: authorizationpolicies.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: AuthorizationPolicy
listKind: AuthorizationPolicyList
plural: authorizationpolicies
singular: authorizationpolicy
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
oneOf:
- not:
anyOf:
- required:
- provider
- required:
- provider
properties:
action:
description: Optional.
enum:
- ALLOW
- DENY
- AUDIT
- CUSTOM
type: string
provider:
description: Specifies detailed configuration of the CUSTOM action.
properties:
name:
description: Specifies the name of the extension provider.
format: string
type: string
type: object
rules:
description: Optional.
items:
properties:
from:
description: Optional.
items:
properties:
source:
description: Source specifies the source of a request.
properties:
ipBlocks:
description: Optional.
items:
format: string
type: string
type: array
namespaces:
description: Optional.
items:
format: string
type: string
type: array
notIpBlocks:
description: Optional.
items:
format: string
type: string
type: array
notNamespaces:
description: Optional.
items:
format: string
type: string
type: array
notPrincipals:
description: Optional.
items:
format: string
type: string
type: array
notRemoteIpBlocks:
description: Optional.
items:
format: string
type: string
type: array
notRequestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
principals:
description: Optional.
items:
format: string
type: string
type: array
remoteIpBlocks:
description: Optional.
items:
format: string
type: string
type: array
requestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
to:
description: Optional.
items:
properties:
operation:
description: Operation specifies the operation of a request.
properties:
hosts:
description: Optional.
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
notHosts:
description: Optional.
items:
format: string
type: string
type: array
notMethods:
description: Optional.
items:
format: string
type: string
type: array
notPaths:
description: Optional.
items:
format: string
type: string
type: array
notPorts:
description: Optional.
items:
format: string
type: string
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
when:
description: Optional.
items:
properties:
key:
description: The name of an Istio attribute.
format: string
type: string
notValues:
description: Optional.
items:
format: string
type: string
type: array
values:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: destinationrules.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.host
description: The name of a service from the service registry
name: Host
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
shortNames:
- dr
singular: destinationrule
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
properties:
exportTo:
description: A list of namespaces to which this destination rule is exported.
items:
format: string
type: string
type: array
host:
description: The name of a service from the service registry.
format: string
type: string
subsets:
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: Name of the subset.
format: string
type: string
trafficPolicy:
description: Traffic policies that apply to this subset.
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will be preserved while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set.'
items:
properties:
from:
description: Originating locality, '/' separated, e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will be preserved while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set.'
items:
properties:
from:
description: Originating locality, '/' separated, e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
type: array
trafficPolicy:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will be preserved while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set.'
items:
properties:
from:
description: Originating locality, '/' separated, e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
useClientProtocol:
description: If set to true, client protocol will be preserved while initiating connection to backend.
type: boolean
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- not:
anyOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
- required:
- simple
- properties:
consistentHash:
oneOf:
- not:
anyOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
- required:
- httpQueryParameterName
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
httpQueryParameterName:
description: Hash based on a specific HTTP query parameter.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
localityLbSetting:
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set.'
items:
properties:
from:
description: Originating locality, '/' separated, e.g.
format: string
type: string
to:
additionalProperties:
type: integer
description: Map of upstream localities to traffic distribution weights.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
nullable: true
type: boolean
failover:
description: 'Optional: only failover or distribute can be set.'
items:
properties:
from:
description: Originating region.
format: string
type: string
to:
format: string
type: string
type: object
type: array
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutive5xxErrors:
description: Number of 5xx errors before a host is ejected from the connection pool.
nullable: true
type: integer
consecutiveErrors:
format: int32
type: integer
consecutiveGatewayErrors:
description: Number of gateway errors before a host is ejected from the connection pool.
nullable: true
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
credentialName:
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: EnvoyFilter
listKind: EnvoyFilterList
plural: envoyfilters
singular: envoyfilter
preserveUnknownFields: true
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
properties:
configPatches:
description: One or more patches with match conditions.
items:
properties:
applyTo:
enum:
- INVALID
- LISTENER
- FILTER_CHAIN
- NETWORK_FILTER
- HTTP_FILTER
- ROUTE_CONFIGURATION
- VIRTUAL_HOST
- HTTP_ROUTE
- CLUSTER
- EXTENSION_CONFIG
type: string
match:
description: Match on listener/route configuration/cluster.
oneOf:
- not:
anyOf:
- required:
- listener
- required:
- routeConfiguration
- required:
- cluster
- required:
- listener
- required:
- routeConfiguration
- required:
- cluster
properties:
cluster:
description: Match on envoy cluster attributes.
properties:
name:
description: The exact name of the cluster to match.
format: string
type: string
portNumber:
description: The service port for which this cluster was generated.
type: integer
service:
description: The fully qualified service name for this cluster.
format: string
type: string
subset:
description: The subset associated with the service.
format: string
type: string
type: object
context:
description: The specific config generation context to match on.
enum:
- ANY
- SIDECAR_INBOUND
- SIDECAR_OUTBOUND
- GATEWAY
type: string
listener:
description: Match on envoy listener attributes.
properties:
filterChain:
description: Match a specific filter chain in a listener.
properties:
applicationProtocols:
description: Applies only to sidecars.
format: string
type: string
destinationPort:
description: The destination_port value used by a filter chain's match condition.
type: integer
filter:
description: The name of a specific filter to apply the patch to.
properties:
name:
description: The filter name to match on.
format: string
type: string
subFilter:
properties:
name:
description: The filter name to match on.
format: string
type: string
type: object
type: object
name:
description: The name assigned to the filter chain.
format: string
type: string
sni:
description: The SNI value used by a filter chain's match condition.
format: string
type: string
transportProtocol:
description: Applies only to `SIDECAR_INBOUND` context.
format: string
type: string
type: object
name:
description: Match a specific listener by its name.
format: string
type: string
portName:
format: string
type: string
portNumber:
type: integer
type: object
proxy:
description: Match on properties associated with a proxy.
properties:
metadata:
additionalProperties:
format: string
type: string
type: object
proxyVersion:
format: string
type: string
type: object
routeConfiguration:
description: Match on envoy HTTP route configuration attributes.
properties:
gateway:
format: string
type: string
name:
description: Route configuration name to match on.
format: string
type: string
portName:
description: Applicable only for GATEWAY context.
format: string
type: string
portNumber:
type: integer
vhost:
properties:
name:
format: string
type: string
route:
description: Match a specific route within the virtual host.
properties:
action:
description: Match a route with specific action type.
enum:
- ANY
- ROUTE
- REDIRECT
- DIRECT_RESPONSE
type: string
name:
format: string
type: string
type: object
type: object
type: object
type: object
patch:
description: The patch to apply along with the operation.
properties:
filterClass:
description: Determines the filter insertion order.
enum:
- UNSPECIFIED
- AUTHN
- AUTHZ
- STATS
type: string
operation:
description: Determines how the patch should be applied.
enum:
- INVALID
- MERGE
- ADD
- REMOVE
- INSERT_BEFORE
- INSERT_AFTER
- INSERT_FIRST
- REPLACE
type: string
value:
description: The JSON config of the object being patched.
type: object
type: object
type: object
type: array
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: gateways.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Gateway
listKind: GatewayList
plural: gateways
shortNames:
- gw
singular: gateway
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html'
properties:
selector:
additionalProperties:
format: string
type: string
type: object
servers:
description: A list of server specifications.
items:
properties:
bind:
format: string
type: string
defaultEndpoint:
format: string
type: string
hosts:
description: One or more hosts exposed by this gateway.
items:
format: string
type: string
type: array
name:
description: An optional name of the server, when set must be unique across all servers.
format: string
type: string
port:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
tls:
description: Set of TLS related options that govern the server's behavior.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified cipher list.'
items:
format: string
type: string
type: array
credentialName:
format: string
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
verifyCertificateHash:
items:
format: string
type: string
type: array
verifyCertificateSpki:
items:
format: string
type: string
type: array
type: object
type: object
type: array
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
release: istio
name: istiooperators.install.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.revision
description: Istio control plane revision
name: Revision
type: string
- JSONPath: .status.status
description: IOP current state
name: Status
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: install.istio.io
names:
kind: IstioOperator
plural: istiooperators
shortNames:
- iop
- io
singular: istiooperator
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
description: 'Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
status:
description: 'Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: peerauthentications.security.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.mtls.mode
description: Defines the mTLS mode used for peer authentication.
name: Mode
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: PeerAuthentication
listKind: PeerAuthenticationList
plural: peerauthentications
shortNames:
- pa
singular: peerauthentication
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
properties:
mtls:
description: Mutual TLS settings for workload.
properties:
mode:
description: Defines the mTLS mode used for peer authentication.
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
portLevelMtls:
additionalProperties:
properties:
mode:
description: Defines the mTLS mode used for peer authentication.
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
description: Port specific mutual TLS settings.
type: object
selector:
description: The selector determines the workloads to apply the ChannelAuthentication on.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: requestauthentications.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: RequestAuthentication
listKind: RequestAuthenticationList
plural: requestauthentications
shortNames:
- ra
singular: requestauthentication
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: RequestAuthentication defines what request authentication methods are supported by a workload.
properties:
jwtRules:
description: Define the list of JWTs that can be validated at the selected workloads' proxy.
items:
properties:
audiences:
items:
format: string
type: string
type: array
forwardOriginalToken:
description: If set to true, the orginal token will be kept for the ustream request.
type: boolean
fromHeaders:
description: List of header locations from which JWT is expected.
items:
properties:
name:
description: The HTTP header name.
format: string
type: string
prefix:
description: The prefix that should be stripped before decoding the token.
format: string
type: string
type: object
type: array
fromParams:
description: List of query parameters from which JWT is expected.
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
outputPayloadToHeader:
format: string
type: string
type: object
type: array
selector:
description: The selector determines the workloads to apply the RequestAuthentication on.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: serviceentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.hosts
description: The hosts associated with the ServiceEntry
name: Hosts
type: string
- JSONPath: .spec.location
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)
name: Location
type: string
- JSONPath: .spec.resolution
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
name: Resolution
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
shortNames:
- se
singular: serviceentry
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html'
properties:
addresses:
description: The virtual IP addresses associated with the service.
items:
format: string
type: string
type: array
endpoints:
description: One or more endpoints associated with the service.
items:
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
serviceAccount:
format: string
type: string
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
type: array
exportTo:
description: A list of namespaces to which this service is exported.
items:
format: string
type: string
type: array
hosts:
description: The hosts associated with the ServiceEntry.
items:
format: string
type: string
type: array
location:
enum:
- MESH_EXTERNAL
- MESH_INTERNAL
type: string
ports:
description: The ports associated with the external service.
items:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
type: array
resolution:
description: Service discovery mode for the hosts.
enum:
- NONE
- STATIC
- DNS
type: string
subjectAltNames:
items:
format: string
type: string
type: array
workloadSelector:
description: Applicable only for MESH_INTERNAL services.
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Sidecar
listKind: SidecarList
plural: sidecars
singular: sidecar
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
properties:
egress:
items:
properties:
bind:
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
hosts:
items:
format: string
type: string
type: array
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
type: object
type: array
ingress:
items:
properties:
bind:
description: The IP to which the listener should be bound.
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
defaultEndpoint:
format: string
type: string
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
targetPort:
type: integer
type: object
type: object
type: array
outboundTrafficPolicy:
description: Configuration for the outbound traffic policy.
properties:
egressProxy:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
mode:
enum:
- REGISTRY_ONLY
- ALLOW_ANY
type: string
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: virtualservices.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.gateways
description: The names of gateways and sidecars that should apply these routes
name: Gateways
type: string
- JSONPath: .spec.hosts
description: The destination hosts to which traffic is being sent
name: Hosts
type: string
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
shortNames:
- vs
singular: virtualservice
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
properties:
exportTo:
description: A list of namespaces to which this virtual service is exported.
items:
format: string
type: string
type: array
gateways:
description: The names of gateways and sidecars that should apply these routes.
items:
format: string
type: string
type: array
hosts:
description: The destination hosts to which traffic is being sent.
items:
format: string
type: string
type: array
http:
description: An ordered list of route rules for HTTP traffic.
items:
properties:
corsPolicy:
description: Cross-Origin Resource Sharing policy (CORS).
properties:
allowCredentials:
nullable: true
type: boolean
allowHeaders:
items:
format: string
type: string
type: array
allowMethods:
description: List of HTTP methods allowed to access the resource.
items:
format: string
type: string
type: array
allowOrigin:
description: The list of origins that are allowed to perform CORS requests.
items:
format: string
type: string
type: array
allowOrigins:
description: String patterns that match allowed origins.
items:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
type: array
exposeHeaders:
items:
format: string
type: string
type: array
maxAge:
type: string
type: object
delegate:
properties:
name:
description: Name specifies the name of the delegate VirtualService.
format: string
type: string
namespace:
description: Namespace specifies the namespace where the delegate VirtualService resides.
format: string
type: string
type: object
fault:
description: Fault injection policy to apply on HTTP traffic at the client side.
properties:
abort:
oneOf:
- not:
anyOf:
- required:
- httpStatus
- required:
- grpcStatus
- required:
- http2Error
- required:
- httpStatus
- required:
- grpcStatus
- required:
- http2Error
properties:
grpcStatus:
format: string
type: string
http2Error:
format: string
type: string
httpStatus:
description: HTTP status code to use to abort the Http request.
format: int32
type: integer
percentage:
description: Percentage of requests to be aborted with the error code provided.
properties:
value:
format: double
type: number
type: object
type: object
delay:
oneOf:
- not:
anyOf:
- required:
- fixedDelay
- required:
- exponentialDelay
- required:
- fixedDelay
- required:
- exponentialDelay
properties:
exponentialDelay:
type: string
fixedDelay:
description: Add a fixed delay before forwarding the request.
type: string
percent:
description: Percentage of requests on which the delay will be injected (0-100).
format: int32
type: integer
percentage:
description: Percentage of requests on which the delay will be injected.
properties:
value:
format: double
type: number
type: object
type: object
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
match:
items:
properties:
authority:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
gateways:
description: Names of gateways where the rule should be applied.
items:
format: string
type: string
type: array
headers:
additionalProperties:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
type: object
ignoreUriCase:
description: Flag to specify whether the URI matching should be case-insensitive.
type: boolean
method:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
name:
description: The name assigned to a match.
format: string
type: string
port:
description: Specifies the ports on the host that is being addressed.
type: integer
queryParams:
additionalProperties:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
description: Query parameters for matching.
type: object
scheme:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceNamespace:
description: Source namespace constraining the applicability of a rule to workloads in that namespace.
format: string
type: string
uri:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
withoutHeaders:
additionalProperties:
oneOf:
- not:
anyOf:
- required:
- exact
- required:
- prefix
- required:
- regex
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
format: string
type: string
type: object
description: withoutHeader has the same syntax with the header, but has opposite meaning.
type: object
type: object
type: array
mirror:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
mirror_percent:
description: Percentage of the traffic to be mirrored by the `mirror` field.
nullable: true
type: integer
mirrorPercent:
description: Percentage of the traffic to be mirrored by the `mirror` field.
nullable: true
type: integer
mirrorPercentage:
description: Percentage of the traffic to be mirrored by the `mirror` field.
properties:
value:
format: double
type: number
type: object
name:
description: The name assigned to the route for debugging purposes.
format: string
type: string
redirect:
description: A HTTP rule can either redirect or forward (default) traffic.
properties:
authority:
format: string
type: string
redirectCode:
type: integer
uri:
format: string
type: string
type: object
retries:
description: Retry policy for HTTP requests.
properties:
attempts:
description: Number of retries to be allowed for a given request.
format: int32
type: integer
perTryTimeout:
description: Timeout per retry attempt for a given request.
type: string
retryOn:
description: Specifies the conditions under which retry takes place.
format: string
type: string
retryRemoteLocalities:
description: Flag to specify whether the retries should retry to other localities.
nullable: true
type: boolean
type: object
rewrite:
description: Rewrite HTTP URIs and Authority headers.
properties:
authority:
description: rewrite the Authority/Host header with this value.
format: string
type: string
uri:
format: string
type: string
type: object
route:
description: A HTTP rule can either redirect or forward (default) traffic.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
weight:
format: int32
type: integer
type: object
type: array
timeout:
description: Timeout for HTTP requests, default is disabled.
type: string
type: object
type: array
tcp:
description: An ordered list of route rules for opaque TCP traffic.
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be applied.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being addressed.
type: integer
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceNamespace:
description: Source namespace constraining the applicability of a rule to workloads in that namespace.
format: string
type: string
sourceSubnet:
description: IPv4 or IPv6 ip address of source with optional subnet.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
tls:
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be applied.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being addressed.
type: integer
sniHosts:
description: SNI (server name indicator) to match on.
items:
format: string
type: string
type: array
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceNamespace:
description: Source namespace constraining the applicability of a rule to workloads in that namespace.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: workloadentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
- JSONPath: .spec.address
description: Address associated with the network endpoint.
name: Address
type: string
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: WorkloadEntry
listKind: WorkloadEntryList
plural: workloadentries
shortNames:
- we
singular: workloadentry
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
serviceAccount:
format: string
type: string
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: workloadgroups.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: WorkloadGroup
listKind: WorkloadGroupList
plural: workloadgroups
shortNames:
- wg
singular: workloadgroup
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html'
properties:
metadata:
description: Metadata that will be used for all corresponding `WorkloadEntries`.
properties:
annotations:
additionalProperties:
format: string
type: string
type: object
labels:
additionalProperties:
format: string
type: string
type: object
type: object
probe:
description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.'
oneOf:
- not:
anyOf:
- required:
- httpGet
- required:
- tcpSocket
- required:
- exec
- required:
- httpGet
- required:
- tcpSocket
- required:
- exec
properties:
exec:
description: Health is determined by how the command that is executed exited.
properties:
command:
description: Command to run.
items:
format: string
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded.
format: int32
type: integer
httpGet:
properties:
host:
description: Host name to connect to, defaults to the pod IP.
format: string
type: string
httpHeaders:
description: Headers the proxy will pass on to make the request.
items:
properties:
name:
format: string
type: string
value:
format: string
type: string
type: object
type: array
path:
description: Path to access on the HTTP server.
format: string
type: string
port:
description: Port on which the endpoint lives.
type: integer
scheme:
format: string
type: string
type: object
initialDelaySeconds:
description: Number of seconds after the container has started before readiness probes are initiated.
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed.
format: int32
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
properties:
host:
format: string
type: string
port:
type: integer
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
type: integer
type: object
template:
description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`.
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
serviceAccount:
format: string
type: string
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha3
served: true
storage: true
================================================
FILE: manifest1.3/005-istio-1-9-0-istio-namespace-base.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: disabled
istio-operator-managed: Reconcile
name: istio-system
================================================
FILE: manifest1.3/006-istio-1-9-0-istio-install-base.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: istio-reader
release: istio
name: istio-reader-service-account
namespace: istio-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: istiod
release: istio
name: istiod-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway-sds
namespace: istio-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: istiod
release: istio
name: istiod-istio-system
namespace: istio-system
rules:
- apiGroups:
- networking.istio.io
resources:
- gateways
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- watch
- list
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: istio-reader
release: istio
name: istio-reader-istio-system
rules:
- apiGroups:
- config.istio.io
- security.istio.io
- networking.istio.io
- authentication.istio.io
- rbac.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- endpoints
- pods
- services
- nodes
- replicationcontrollers
- namespaces
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- networking.istio.io
resources:
- workloadentries
verbs:
- get
- watch
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: istiod
release: istio
name: istiod-istio-system
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- update
- apiGroups:
- config.istio.io
- security.istio.io
- networking.istio.io
- authentication.istio.io
- rbac.istio.io
resources:
- '*'
verbs:
- get
- watch
- list
- apiGroups:
- networking.istio.io
resources:
- workloadentries
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- networking.istio.io
resources:
- workloadentries/status
verbs:
- get
- watch
- list
- update
- patch
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- nodes
- services
- namespaces
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- update
- create
- get
- delete
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- signers
verbs:
- approve
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- networking.x-k8s.io
resources:
- '*'
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway-sds
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-ingressgateway-sds
subjects:
- kind: ServiceAccount
name: istio-ingressgateway-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: istiod
release: istio
name: istiod-istio-system
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod-istio-system
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: istio-reader
release: istio
name: istio-reader-istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-istio-system
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: istiod
release: istio
name: istiod-istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-istio-system
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: istio-system
---
apiVersion: v1
data:
mesh: |-
accessLogFile: /dev/stdout
defaultConfig:
discoveryAddress: istiod.istio-system.svc:15012
proxyMetadata: {}
tracing:
zipkin:
address: zipkin.istio-system:9411
enablePrometheusMerge: true
rootNamespace: istio-system
trustDomain: cluster.local
meshNetworks: 'networks: {}'
kind: ConfigMap
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istio
namespace: istio-system
---
apiVersion: v1
data:
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
defaultTemplates: [sidecar]
policy: enabled
alwaysInjectSelector:
[]
neverInjectSelector:
[]
injectedAnnotations:
template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}"
templates:
sidecar: |
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{ end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
{{- end }}
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
{{- end }}
}
spec:
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if .Values.istio_cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- istio-iptables
- "-p"
- "15001"
- "-z"
- "15006"
- "-u"
- "1337"
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else }}
- "15090,15021"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- "-q"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{ end -}}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not .Values.istio_cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
{{- if not .Values.istio_cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
- --concurrency
- "{{ .ProxyConfig.Concurrency.GetValue }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- else if $holdProxy }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end }}
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
values: |-
{
"global": {
"arch": {
"amd64": 2,
"ppc64le": 2,
"s390x": 2
},
"caAddress": "",
"configValidation": true,
"defaultNodeSelector": {},
"defaultPodDisruptionBudget": {
"enabled": true
},
"defaultResources": {
"requests": {
"cpu": "10m"
}
},
"enabled": true,
"externalIstiod": false,
"hub": "docker.io/istio",
"imagePullPolicy": "",
"imagePullSecrets": [],
"istioNamespace": "istio-system",
"istiod": {
"enableAnalysis": false
},
"jwtPolicy": "third-party-jwt",
"logAsJson": false,
"logging": {
"level": "default:info"
},
"meshID": "",
"meshNetworks": {},
"mountMtlsCerts": false,
"multiCluster": {
"clusterName": "",
"enabled": false
},
"namespace": "istio-system",
"network": "",
"omitSidecarInjectorConfigMap": false,
"oneNamespace": false,
"operatorManageWebhooks": false,
"pilotCertProvider": "istiod",
"priorityClassName": "",
"proxy": {
"autoInject": "enabled",
"clusterDomain": "cluster.local",
"componentLogLevel": "misc:error",
"enableCoreDump": false,
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
"holdApplicationUntilProxyStarts": false,
"image": "proxyv2",
"includeIPRanges": "*",
"logLevel": "warning",
"privileged": false,
"readinessFailureThreshold": 30,
"readinessInitialDelaySeconds": 1,
"readinessPeriodSeconds": 2,
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "10m",
"memory": "40Mi"
}
},
"statusPort": 15020,
"tracer": "zipkin"
},
"proxy_init": {
"image": "proxyv2",
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "10m",
"memory": "10Mi"
}
}
},
"remotePilotAddress": "",
"sds": {
"token": {
"aud": "istio-ca"
}
},
"sts": {
"servicePort": 0
},
"tag": "1.9.0",
"tracer": {
"datadog": {
"address": "$(HOST_IP):8126"
},
"lightstep": {
"accessToken": "",
"address": ""
},
"stackdriver": {
"debug": false,
"maxNumberOfAnnotations": 200,
"maxNumberOfAttributes": 200,
"maxNumberOfMessageEvents": 200
},
"zipkin": {
"address": ""
}
},
"trustDomain": "",
"useMCP": false
},
"istio_cni": {
"enabled": false
},
"revision": "",
"sidecarInjectorWebhook": {
"alwaysInjectSelector": [],
"defaultTemplates": [],
"enableNamespacesByDefault": false,
"injectedAnnotations": {},
"neverInjectSelector": [],
"objectSelector": {
"autoInject": true,
"enabled": true
},
"rewriteAppHTTPProbe": true,
"templates": {},
"useLegacySelectors": true
}
}
kind: ConfigMap
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istio-sidecar-injector
namespace: istio-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 8080
nodePort: 30000
- name: https
port: 443
protocol: TCP
targetPort: 8443
- name: tcp
port: 31400
protocol: TCP
targetPort: 31400
- name: tls
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app: istiod
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istiod
namespace: istio-system
spec:
ports:
- name: grpc-xds
port: 15010
protocol: TCP
- name: https-dns
port: 15012
protocol: TCP
- name: https-webhook
port: 443
protocol: TCP
targetPort: 15017
- name: http-monitoring
port: 15014
protocol: TCP
selector:
app: istiod
istio: pilot
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: istio-ingressgateway
chart: gateways
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
service.istio.io/canonical-name: istio-ingressgateway
service.istio.io/canonical-revision: latest
sidecar.istio.io/inject: "false"
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --serviceCluster
- istio-ingressgateway
env:
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: istio-ingressgateway
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
- name: ISTIO_META_ROUTER_MODE
value: standard
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74
name: istio-proxy
ports:
- containerPort: 15021
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 31400
protocol: TCP
- containerPort: 15443
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: true
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
securityContext:
fsGroup: 1337
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: istio-ingressgateway-service-account
volumes:
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
- path: cpu-limit
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: limits.cpu
- path: cpu-request
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: requests.cpu
name: podinfo
- emptyDir: {}
name: istio-envoy
- emptyDir: {}
name: istio-data
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio
optional: true
name: config-volume
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istiod
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istiod
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
istio: pilot
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: istiod
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
operator.istio.io/component: Pilot
sidecar.istio.io/inject: "false"
spec:
containers:
- args:
- discovery
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --keepaliveMaxServerConnectionAge
- 30m
env:
- name: REVISION
value: default
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
- name: PILOT_TRACE_SAMPLING
value: "100"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "true"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "true"
- name: ISTIOD_ADDR
value: istiod.istio-system.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "false"
- name: CLUSTER_ID
value: Kubernetes
- name: EXTERNAL_ISTIOD
value: "false"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-pilot:1.9.0-9d4e9
name: discovery
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
resources:
requests:
cpu: 10m
memory: 100Mi
securityContext:
capabilities:
drop:
- ALL
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: true
- mountPath: /var/run/secrets/istio-dns
name: local-certs
- mountPath: /etc/cacerts
name: cacerts
readOnly: true
- mountPath: /var/run/secrets/remote
name: istio-kubeconfig
readOnly: true
- mountPath: /var/lib/istio/inject
name: inject
readOnly: true
nodeSelector: {}
securityContext:
fsGroup: 1337
serviceAccountName: istiod-service-account
volumes:
- emptyDir:
medium: Memory
name: local-certs
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- name: cacerts
secret:
optional: true
secretName: cacerts
- name: istio-kubeconfig
secret:
optional: true
secretName: istio-kubeconfig
- configMap:
name: istio-sidecar-injector
name: inject
- configMap:
name: istio
name: config-volume
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
name: metadata-exchange-1.8
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{}
vm_config:
code:
local:
inline_string: envoy.wasm.metadata_exchange
runtime: envoy.wasm.runtime.null
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{}
vm_config:
code:
local:
inline_string: envoy.wasm.metadata_exchange
runtime: envoy.wasm.runtime.null
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{}
vm_config:
code:
local:
inline_string: envoy.wasm.metadata_exchange
runtime: envoy.wasm.runtime.null
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
name: metadata-exchange-1.9
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{}
vm_config:
code:
local:
inline_string: envoy.wasm.metadata_exchange
runtime: envoy.wasm.runtime.null
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{}
vm_config:
code:
local:
inline_string: envoy.wasm.metadata_exchange
runtime: envoy.wasm.runtime.null
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{}
vm_config:
code:
local:
inline_string: envoy.wasm.metadata_exchange
runtime: envoy.wasm.runtime.null
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
istio.io/rev: default
name: stats-filter-1.8
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_outbound
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
}
root_id: stats_inbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_inbound
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"disable_host_header_fallback": true
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_outbound
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
istio.io/rev: default
name: stats-filter-1.9
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_outbound
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
root_id: stats_inbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_inbound
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_outbound
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
istio.io/rev: default
name: tcp-metadata-exchange-1.8
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener: {}
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
cluster: {}
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: ^1\.8.*
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
cluster: {}
context: GATEWAY
proxy:
proxyVersion: ^1\.8.*
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
istio.io/rev: default
name: tcp-metadata-exchange-1.9
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener: {}
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
cluster: {}
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: ^1\.9.*
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
cluster: {}
context: GATEWAY
proxy:
proxyVersion: ^1\.9.*
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
istio.io/rev: default
name: tcp-stats-filter-1.8
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
}
root_id: stats_inbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: tcp_stats_inbound
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: tcp_stats_outbound
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
proxy:
proxyVersion: ^1\.8.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: tcp_stats_outbound
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
labels:
istio.io/rev: default
name: tcp-stats-filter-1.9
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
root_id: stats_inbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: tcp_stats_inbound
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: tcp_stats_outbound
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.tcp_proxy
proxy:
proxyVersion: ^1\.9.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: tcp_stats_outbound
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: x-forwarded-host
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_request(request_handle)
local host = request_handle:headers():get(":authority")
request_handle:headers():add("x-forwarded-host", host)
end
workloadSelector:
labels:
istio: ingressgateway
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
labels:
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
app: istio-ingressgateway
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: global-deny-all
namespace: istio-system
spec: {}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: istio-ingressgateway
namespace: istio-system
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
labels:
app: sidecar-injector
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istio-sidecar-injector
webhooks:
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
caBundle: ""
service:
name: istiod
namespace: istio-system
path: /inject
failurePolicy: Fail
name: sidecar-injector.istio.io
namespaceSelector:
matchLabels:
istio-injection: enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: istiod
istio: istiod
release: istio
name: istiod-istio-system
webhooks:
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
caBundle: ""
service:
name: istiod
namespace: istio-system
path: /validate
failurePolicy: Ignore
name: validation.istio.io
rules:
- apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*'
sideEffects: None
================================================
FILE: manifest1.3/007-oidc-authservice-oidc-authservice-base.yaml
================================================
apiVersion: v1
data:
OIDC_AUTH_URL: /dex/auth
OIDC_PROVIDER: http://dex.auth.svc.cluster.local:5556/dex
OIDC_SCOPES: profile email groups
PORT: '"8080"'
REDIRECT_URL: /login/oidc
SKIP_AUTH_URI: /dex
STORE_PATH: /var/lib/authservice/data.db
USERID_CLAIM: email
USERID_HEADER: kubeflow-userid
USERID_PREFIX: ""
kind: ConfigMap
metadata:
name: oidc-authservice-parameters
namespace: istio-system
---
apiVersion: v1
data:
CLIENT_ID: a3ViZWZsb3ctb2lkYy1hdXRoc2VydmljZQ==
CLIENT_SECRET: cFVCbkJPWTgwU25YZ2ppYlRZTTlaV056WTJ4cmVOR1Fvaw==
kind: Secret
metadata:
name: oidc-authservice-client
namespace: istio-system
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
name: authservice
namespace: istio-system
spec:
ports:
- name: http-authservice
port: 8080
targetPort: http-api
publishNotReadyAddresses: true
selector:
app: authservice
type: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authservice-pvc
namespace: istio-system
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: authservice
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app: authservice
serviceName: authservice
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: authservice
spec:
containers:
- envFrom:
- secretRef:
name: oidc-authservice-client
- configMapRef:
name: oidc-authservice-parameters
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-oidc-authservice:28c59ef-c8870
imagePullPolicy: Always
name: authservice
ports:
- containerPort: 8080
name: http-api
readinessProbe:
httpGet:
path: /
port: 8081
volumeMounts:
- mountPath: /var/lib/authservice
name: data
securityContext:
fsGroup: 111
volumes:
- name: data
persistentVolumeClaim:
claimName: authservice-pvc
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: ""
match:
context: GATEWAY
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
authorization_request:
allowed_headers:
patterns:
- exact: authorization
- exact: cookie
- exact: x-auth-token
authorization_response:
allowed_upstream_headers:
patterns:
- exact: kubeflow-userid
server_uri:
cluster: outbound|8080||authservice.istio-system.svc.cluster.local
timeout: 10s
uri: http://authservice.istio-system.svc.cluster.local
workloadSelector:
labels:
istio: ingressgateway
================================================
FILE: manifest1.3/008-dex-overlays-istio.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
name: auth
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: authcodes.dex.coreos.com
spec:
group: dex.coreos.com
names:
kind: AuthCode
listKind: AuthCodeList
plural: authcodes
singular: authcode
scope: Namespaced
version: v1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dex
namespace: auth
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dex
rules:
- apiGroups:
- dex.coreos.com
resources:
- '*'
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dex
subjects:
- kind: ServiceAccount
name: dex
namespace: auth
---
apiVersion: v1
data:
config.yaml: |
issuer: http://dex.auth.svc.cluster.local:5556/dex
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
logger:
level: "debug"
format: text
oauth2:
skipApprovalScreen: true
enablePasswordDB: true
staticPasswords:
- email: user@example.com
hash: $2y$12$4K/VkmDd1q1Orb3xAt82zu8gk7Ad6ReFR4LCP9UeYE90NLiN9Df72
# https://github.com/dexidp/dex/pull/1601/commits
# FIXME: Use hashFromEnv instead
username: user
userID: "15841185641784"
staticClients:
# https://github.com/dexidp/dex/pull/1664
- idEnv: OIDC_CLIENT_ID
redirectURIs: ["/login/oidc"]
name: 'Dex Login Application'
secretEnv: OIDC_CLIENT_SECRET
kind: ConfigMap
metadata:
name: dex
namespace: auth
---
apiVersion: v1
data:
OIDC_CLIENT_ID: a3ViZWZsb3ctb2lkYy1hdXRoc2VydmljZQ==
OIDC_CLIENT_SECRET: cFVCbkJPWTgwU25YZ2ppYlRZTTlaV056WTJ4cmVOR1Fvaw==
kind: Secret
metadata:
name: dex-oidc-client
namespace: auth
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
name: dex
namespace: auth
spec:
ports:
- name: dex
nodePort: 32000
port: 5556
protocol: TCP
targetPort: 5556
selector:
app: dex
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: dex
name: dex
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: dex
template:
metadata:
labels:
app: dex
spec:
containers:
- command:
- dex
- serve
- /etc/dex/cfg/config.yaml
envFrom:
- secretRef:
name: dex-oidc-client
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/dexidp-dex:v2.24.0-bb0b9
name: dex
ports:
- containerPort: 5556
name: http
volumeMounts:
- mountPath: /etc/dex/cfg
name: config
serviceAccountName: dex
volumes:
- configMap:
items:
- key: config.yaml
path: config.yaml
name: dex
name: config
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: dex
namespace: auth
spec:
gateways:
- kubeflow/kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /dex/
route:
- destination:
host: dex.auth.svc.cluster.local
port:
number: 5556
================================================
FILE: manifest1.3/009-knative-knative-serving-crds-base.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
labels:
serving.knative.dev/release: v0.14.3
name: knative-serving
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: certificates.networking.internal.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
group: networking.internal.knative.dev
names:
categories:
- knative-internal
- networking
kind: Certificate
plural: certificates
shortNames:
- kcert
singular: certificate
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/podspecable: "true"
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: configurations.serving.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.latestCreatedRevisionName
name: LatestCreated
type: string
- JSONPath: .status.latestReadyRevisionName
name: LatestReady
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: webhook
namespace: knative-serving
group: serving.knative.dev
names:
categories:
- all
- knative
- serving
kind: Configuration
plural: configurations
shortNames:
- config
- cfg
singular: configuration
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: false
- name: v1beta1
served: true
storage: false
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
name: images.caching.internal.knative.dev
spec:
group: caching.internal.knative.dev
names:
categories:
- knative-internal
- caching
kind: Image
plural: images
shortNames:
- img
singular: image
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: ingresses.networking.internal.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
group: networking.internal.knative.dev
names:
categories:
- knative-internal
- networking
kind: Ingress
plural: ingresses
shortNames:
- kingress
- king
singular: ingress
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: metrics.autoscaling.internal.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
group: autoscaling.internal.knative.dev
names:
categories:
- knative-internal
- autoscaling
kind: Metric
plural: metrics
singular: metric
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: podautoscalers.autoscaling.internal.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.desiredScale
name: DesiredScale
type: integer
- JSONPath: .status.actualScale
name: ActualScale
type: integer
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
group: autoscaling.internal.knative.dev
names:
categories:
- knative-internal
- autoscaling
kind: PodAutoscaler
plural: podautoscalers
shortNames:
- kpa
- pa
singular: podautoscaler
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: revisions.serving.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .metadata.labels['serving\.knative\.dev/configuration']
name: Config Name
type: string
- JSONPath: .status.serviceName
name: K8s Service Name
type: string
- JSONPath: .metadata.labels['serving\.knative\.dev/configurationGeneration']
name: Generation
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: webhook
namespace: knative-serving
group: serving.knative.dev
names:
categories:
- all
- knative
- serving
kind: Revision
plural: revisions
shortNames:
- rev
singular: revision
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: false
- name: v1beta1
served: true
storage: false
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: routes.serving.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.url
name: URL
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: webhook
namespace: knative-serving
group: serving.knative.dev
names:
categories:
- all
- knative
- serving
kind: Route
plural: routes
shortNames:
- rt
singular: route
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: false
- name: v1beta1
served: true
storage: false
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: serverlessservices.networking.internal.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .spec.mode
name: Mode
type: string
- JSONPath: .spec.numActivators
name: Activators
type: integer
- JSONPath: .status.serviceName
name: ServiceName
type: string
- JSONPath: .status.privateServiceName
name: PrivateServiceName
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
group: networking.internal.knative.dev
names:
categories:
- knative-internal
- networking
kind: ServerlessService
plural: serverlessservices
shortNames:
- sks
singular: serverlessservice
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
duck.knative.dev/podspecable: "true"
knative.dev/crd-install: "true"
serving.knative.dev/release: v0.14.3
name: services.serving.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.url
name: URL
type: string
- JSONPath: .status.latestCreatedRevisionName
name: LatestCreated
type: string
- JSONPath: .status.latestReadyRevisionName
name: LatestReady
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: webhook
namespace: knative-serving
group: serving.knative.dev
names:
categories:
- all
- knative
- serving
kind: Service
plural: services
shortNames:
- kservice
- ksvc
singular: service
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: false
- name: v1beta1
served: true
storage: false
- name: v1
served: true
storage: true
================================================
FILE: manifest1.3/010-knative-knative-serving-install-base.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: controller
namespace: knative-serving
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
duck.knative.dev/addressable: "true"
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: knative-serving-addressable-resolver
rules:
- apiGroups:
- serving.knative.dev
resources:
- routes
- routes/status
- services
- services/status
verbs:
- get
- list
- watch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
serving.knative.dev/controller: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: knative-serving-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/controller: "true"
serving.knative.dev/release: v0.14.3
name: knative-serving-core
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
- secrets
- configmaps
- endpoints
- services
- events
- serviceaccounts
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- ""
resources:
- endpoints/restricted
verbs:
- create
- apiGroups:
- apps
resources:
- deployments
- deployments/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- serving.knative.dev
- autoscaling.internal.knative.dev
- networking.internal.knative.dev
resources:
- '*'
- '*/status'
- '*/finalizers'
verbs:
- get
- list
- create
- update
- delete
- deletecollection
- patch
- watch
- apiGroups:
- caching.internal.knative.dev
resources:
- images
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
networking.knative.dev/ingress-provider: istio
serving.knative.dev/controller: "true"
serving.knative.dev/release: v0.14.3
name: knative-serving-istio
rules:
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- gateways
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-admin: "true"
serving.knative.dev/release: v0.14.3
name: knative-serving-namespaced-admin
rules:
- apiGroups:
- serving.knative.dev
- networking.internal.knative.dev
- autoscaling.internal.knative.dev
- caching.internal.knative.dev
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-edit: "true"
serving.knative.dev/release: v0.14.3
name: knative-serving-namespaced-edit
rules:
- apiGroups:
- serving.knative.dev
- networking.internal.knative.dev
- autoscaling.internal.knative.dev
- caching.internal.knative.dev
resources:
- '*'
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-view: "true"
serving.knative.dev/release: v0.14.3
name: knative-serving-namespaced-view
rules:
- apiGroups:
- serving.knative.dev
- networking.internal.knative.dev
- autoscaling.internal.knative.dev
- caching.internal.knative.dev
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
duck.knative.dev/podspecable: "true"
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: knative-serving-podspecable-binding
rules:
- apiGroups:
- serving.knative.dev
resources:
- configurations
- services
verbs:
- list
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: knative-serving-controller-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knative-serving-admin
subjects:
- kind: ServiceAccount
name: controller
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# The Revision ContainerConcurrency field specifies the maximum number
# of requests the Container can handle at once. Container concurrency
# target percentage is how much of that maximum to use in a stable
# state. E.g. if a Revision specifies ContainerConcurrency of 10, then
# the Autoscaler will try to maintain 7 concurrent connections per pod
# on average.
# Note: this limit will be applied to container concurrency set at every
# level (ConfigMap, Revision Spec or Annotation).
# For legacy and backwards compatibility reasons, this value also accepts
# fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%).
# Thus minimal percentage value must be greater than 1.0, or it will be
# treated as a fraction.
# NOTE: that this value does not affect actual number of concurrent requests
# the user container may receive, but only the average number of requests
# that the revision pods will receive.
container-concurrency-target-percentage: "70"
# The container concurrency target default is what the Autoscaler will
# try to maintain when concurrency is used as the scaling metric for the
# Revision and the Revision specifies unlimited concurrency.
# When revision explicitly specifies container concurrency, that value
# will be used as a scaling target for autoscaler.
# When specifying unlimited concurrency, the autoscaler will
# horizontally scale the application based on this target concurrency.
# This is what we call "soft limit" in the documentation, i.e. it only
# affects number of pods and does not affect the number of requests
# individual pod processes.
# The value must be a positive number such that the value multiplied
# by container-concurrency-target-percentage is greater than 0.01.
# NOTE: that this value will be adjusted by application of
# container-concurrency-target-percentage, i.e. by default
# the system will target on average 70 concurrent requests
# per revision pod.
# NOTE: Only one metric can be used for autoscaling a Revision.
container-concurrency-target-default: "100"
# The requests per second (RPS) target default is what the Autoscaler will
# try to maintain when RPS is used as the scaling metric for a Revision and
# the Revision specifies unlimited RPS. Even when specifying unlimited RPS,
# the autoscaler will horizontally scale the application based on this
# target RPS.
# Must be greater than 1.0.
# NOTE: Only one metric can be used for autoscaling a Revision.
requests-per-second-target-default: "200"
# The target burst capacity specifies the size of burst in concurrent
# requests that the system operator expects the system will receive.
# Autoscaler will try to protect the system from queueing by introducing
# Activator in the request path if the current spare capacity of the
# service is less than this setting.
# If this setting is 0, then Activator will be in the request path only
# when the revision is scaled to 0.
# If this setting is > 0 and container-concurrency-target-percentage is
# 100% or 1.0, then activator will always be in the request path.
# -1 denotes unlimited target-burst-capacity and activator will always
# be in the request path.
# Other negative values are invalid.
target-burst-capacity: "200"
# When operating in a stable mode, the autoscaler operates on the
# average concurrency over the stable window.
# Stable window must be in whole seconds.
stable-window: "60s"
# When observed average concurrency during the panic window reaches
# panic-threshold-percentage the target concurrency, the autoscaler
# enters panic mode. When operating in panic mode, the autoscaler
# scales on the average concurrency over the panic window which is
# panic-window-percentage of the stable-window.
# When computing the panic window it will be rounded to the closest
# whole second.
panic-window-percentage: "10.0"
# The percentage of the container concurrency target at which to
# enter panic mode when reached within the panic window.
panic-threshold-percentage: "200.0"
# Max scale up rate limits the rate at which the autoscaler will
# increase pod count. It is the maximum ratio of desired pods versus
# observed pods.
# Cannot be less or equal to 1.
# I.e with value of 2.0 the number of pods can at most go N to 2N
# over single Autoscaler period (see tick-interval), but at least N to
# N+1, if Autoscaler needs to scale up.
max-scale-up-rate: "1000.0"
# Max scale down rate limits the rate at which the autoscaler will
# decrease pod count. It is the maximum ratio of observed pods versus
# desired pods.
# Cannot be less or equal to 1.
# I.e. with value of 2.0 the number of pods can at most go N to N/2
# over single Autoscaler evaluation period (see tick-interval), but at
# least N to N-1, if Autoscaler needs to scale down.
max-scale-down-rate: "2.0"
# Scale to zero feature flag
enable-scale-to-zero: "true"
# Tick interval is the time between autoscaling calculations.
tick-interval: "2s"
# Scale to zero grace period is the time an inactive revision is left
# running before it is scaled to zero (min: 6s).
scale-to-zero-grace-period: "30s"
# Enable graceful scaledown feature flag.
# Once enabled, it allows the autoscaler to prioritize pods processing
# fewer (or zero) requests for removal when scaling down.
enable-graceful-scaledown: "false"
# pod-autoscaler-class specifies the default pod autoscaler class
# that should be used if none is specified. If omitted, the Knative
# Horizontal Pod Autoscaler (KPA) is used by default.
pod-autoscaler-class: "kpa.autoscaling.knative.dev"
# The capacity of a single activator task.
# The `unit` is one concurrent request proxied by the activator.
# activator-capacity must be at least 1.
# This value is used for computation of the Activator subset size.
# See the algorithm here: http://bit.ly/38XiCZ3.
# TODO(vagababov): tune after actual benchmarking.
activator-capacity: "100.0"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-autoscaler
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# revision-timeout-seconds contains the default number of
# seconds to use for the revision's per-request timeout, if
# none is specified.
revision-timeout-seconds: "300" # 5 minutes
# max-revision-timeout-seconds contains the maximum number of
# seconds that can be used for revision-timeout-seconds.
# This value must be greater than or equal to revision-timeout-seconds.
# If omitted, the system default is used (600 seconds).
max-revision-timeout-seconds: "600" # 10 minutes
# revision-cpu-request contains the cpu allocation to assign
# to revisions by default. If omitted, no value is specified
# and the system default is used.
revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU)
# revision-memory-request contains the memory allocation to assign
# to revisions by default. If omitted, no value is specified
# and the system default is used.
revision-memory-request: "100M" # 100 megabytes of memory
# revision-cpu-limit contains the cpu allocation to limit
# revisions to by default. If omitted, no value is specified
# and the system default is used.
revision-cpu-limit: "1000m" # 1 CPU (aka 1000 milli-CPU)
# revision-memory-limit contains the memory allocation to limit
# revisions to by default. If omitted, no value is specified
# and the system default is used.
revision-memory-limit: "200M" # 200 megabytes of memory
# container-name-template contains a template for the default
# container name, if none is specified. This field supports
# Go templating and is supplied with the ObjectMeta of the
# enclosing Service or Configuration, so values such as
# {{.Name}} are also valid.
container-name-template: "user-container"
# container-concurrency specifies the maximum number
# of requests the Container can handle at once, and requests
# above this threshold are queued. Setting a value of zero
# disables this throttling and lets through as many requests as
# the pod receives.
container-concurrency: "0"
# The container concurrency max limit is an operator setting ensuring that
# the individual revisions cannot have arbitrary large concurrency
# values, or autoscaling targets. `container-concurrency` default setting
# must be at or below this value.
# Must be greater than 1.
container-concurrency-max-limit: "1000"
# feature flag indicates whether to enable multi container support or not
enable-multi-container: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-defaults
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# List of repositories for which tag to digest resolving should be skipped
registriesSkippingTagResolving: "ko.local,dev.local"
queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:d066ae5b642885827506610ae25728d442ce11447b82df6e9cc4c174bb97ecb3
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-deployment
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Default value for domain.
# Although it will match all routes, it is the least-specific rule so it
# will only be used if no other domain matches.
example.com: |
# These are example settings of domain.
# example.org will be used for routes having app=nonprofit.
example.org: |
selector:
app: nonprofit
# Routes having domain suffix of 'svc.cluster.local' will not be exposed
# through Ingress. You can define your own label selector to assign that
# domain suffix to your Route here, or you can set the label
# "serving.knative.dev/visibility=cluster-local"
# to achieve the same effect. This shows how to make routes having
# the label app=secret only exposed to the local cluster.
svc.cluster.local: |
selector:
app: secret
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-domain
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Delay after revision creation before considering it for GC
stale-revision-create-delay: "48h"
# Duration since a route has pointed at the revision before it
# should be GC'd.
# This minus lastpinned-debounce must be longer than the controller
# resync period (10 hours).
stale-revision-timeout: "15h"
# Minimum number of generations of revisions to keep before considering
# them for GC
stale-revision-minimum-generations: "20"
# To avoid constant updates, we allow an existing annotation to be stale by this
# amount before we update the timestamp.
stale-revision-lastpinned-debounce: "5h"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-gc
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Default Knative Gateway after v0.3. It points to the Istio
# standard istio-ingressgateway, instead of a custom one that we
# used pre-0.3. The configuration format should be `gateway.
# {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.
# {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}}
# is optional; when it is omitted, the system will search for
# the gateway in the serving system namespace `knative-serving`
gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"
# A cluster local gateway to allow pods outside of the mesh to access
# Services and Routes not exposing through an ingress. If the users
# do have a service mesh setup, this isn't required and can be removed.
#
# An example use case is when users want to use Istio without any
# sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod
# is outside of the service mesh in that case, a cluster-local service
# will need to be exposed to a cluster-local gateway to be accessible.
# The configuration format should be `local-gateway.{{local_gateway_namespace}}.
# {{local_gateway_name}}: "{{cluster_local_gateway_name}}.
# {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The
# {{local_gateway_namespace}} is optional; when it is omitted, the system
# will search for the local gateway in the serving system namespace
# `knative-serving`
local-gateway.knative-serving.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local"
# To use only Istio service mesh and no cluster-local-gateway, replace
# all local-gateway.* entries by the following entry.
local-gateway.mesh: "mesh"
gateway.kubeflow.kubeflow-gateway: istio-ingressgateway.istio-system.svc.cluster.local
local-gateway.knative-serving.cluster-local-gateway: cluster-local-gateway.istio-system.svc.cluster.local
local-gateway.mesh: mesh
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
networking.knative.dev/ingress-provider: istio
serving.knative.dev/release: v0.14.3
name: config-istio
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# resourceLock controls which API resource is used as the basis for the
# leader election lock. Valid values are:
#
# - leases -> use the coordination API
# - configmaps -> use configmaps
# - endpoints -> use endpoints
resourceLock: "leases"
# leaseDuration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
leaseDuration: "15s"
# renewDeadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renewDeadline: "10s"
# retryPeriod is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kubernetes controllers.
retryPeriod: "2s"
# enabledComponents is a comma-delimited list of component names for which
# leader election is enabled. Valid values are:
#
# - controller
# - hpaautoscaler
# - certcontroller
# - istiocontroller
# - nscontroller
enabledComponents: "controller,hpaautoscaler,certcontroller,istiocontroller,nscontroller"
leaseDuration: 15s
renewDeadline: 10s
resourceLock: leases
retryPeriod: 2s
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-leader-election
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Common configuration for all Knative codebase
zap-logger-config: |
{
"level": "info",
"development": false,
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "ts",
"levelKey": "level",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "msg",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "iso8601",
"durationEncoder": "",
"callerEncoder": ""
}
}
# Log level overrides
# For all components except the autoscaler and queue proxy,
# changes are be picked up immediately.
# For autoscaler and queue proxy, changes require recreation of the pods.
loglevel.controller: "info"
loglevel.autoscaler: "info"
loglevel.queueproxy: "info"
loglevel.webhook: "info"
loglevel.activator: "info"
loglevel.hpaautoscaler: "info"
loglevel.certcontroller: "info"
loglevel.istiocontroller: "info"
loglevel.nscontroller: "info"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-logging
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# DEPRECATED:
# istio.sidecar.includeOutboundIPRanges is obsolete.
# The current versions have outbound network access enabled by default.
# If you need this option for some reason, please use global.proxy.includeIPRanges in Istio.
#
# istio.sidecar.includeOutboundIPRanges: "*"
# ingress.class specifies the default ingress class
# to use when not dictated by Route annotation.
#
# If not specified, will use the Istio ingress.
#
# Note that changing the Ingress class of an existing Route
# will result in undefined behavior. Therefore it is best to only
# update this value during the setup of Knative, to avoid getting
# undefined behavior.
ingress.class: "istio.ingress.networking.knative.dev"
# certificate.class specifies the default Certificate class
# to use when not dictated by Route annotation.
#
# If not specified, will use the Cert-Manager Certificate.
#
# Note that changing the Certificate class of an existing Route
# will result in undefined behavior. Therefore it is best to only
# update this value during the setup of Knative, to avoid getting
# undefined behavior.
certificate.class: "cert-manager.certificate.networking.knative.dev"
# domainTemplate specifies the golang text template string to use
# when constructing the Knative service's DNS name. The default
# value is "{{.Name}}.{{.Namespace}}.{{.Domain}}". And those three
# values (Name, Namespace, Domain) are the only variables defined.
#
# Changing this value might be necessary when the extra levels in
# the domain name generated is problematic for wildcard certificates
# that only support a single level of domain name added to the
# certificate's domain. In those cases you might consider using a value
# of "{{.Name}}-{{.Namespace}}.{{.Domain}}", or removing the Namespace
# entirely from the template. When choosing a new value be thoughtful
# of the potential for conflicts - for example, when users choose to use
# characters such as `-` in their service, or namespace, names.
# {{.Annotations}} can be used for any customization in the go template if needed.
# We strongly recommend keeping namespace part of the template to avoid domain name clashes
# Example '{{.Name}}-{{.Namespace}}.{{ index .Annotations "sub"}}.{{.Domain}}'
# and you have an annotation {"sub":"foo"}, then the generated template would be {Name}-{Namespace}.foo.{Domain}
domainTemplate: "{{.Name}}.{{.Namespace}}.{{.Domain}}"
# tagTemplate specifies the golang text template string to use
# when constructing the DNS name for "tags" within the traffic blocks
# of Routes and Configuration. This is used in conjunction with the
# domainTemplate above to determine the full URL for the tag.
tagTemplate: "{{.Tag}}-{{.Name}}"
# Controls whether TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate external TLS connection.
# 1. Enabled: enabling auto-TLS feature.
# 2. Disabled: disabling auto-TLS feature.
autoTLS: "Disabled"
# Controls the behavior of the HTTP endpoint for the Knative ingress.
# It requires autoTLS to be enabled.
# 1. Enabled: The Knative ingress will be able to serve HTTP connection.
# 2. Disabled: The Knative ingress will reject HTTP traffic.
# 3. Redirected: The Knative ingress will send a 302 redirect for all
# http connections, asking the clients to use HTTPS
httpProtocol: "Enabled"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-network
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################ # # # EXAMPLE CONFIGURATION # # # ################################
# This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. #
# These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration.
# logging.enable-var-log-collection defaults to false. # The fluentd daemon set will be set up to collect /var/log if # this flag is true. logging.enable-var-log-collection: "false"
# logging.revision-url-template provides a template to use for producing the # logging URL that is injected into the status of each Revision. # This value is what you might use the the Knative monitoring bundle, and provides # access to Kibana after setting up kubectl proxy. logging.revision-url-template: |
http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.serving-knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase))))
# If non-empty, this enables queue proxy writing user request logs to stdout, excluding probe # requests. # The value determines the shape of the request logs and it must be a valid go text/template. # It is important to keep this as a single line. Multiple lines are parsed as separate entities # by most collection agents and will split the request logs into multiple records. # # The following fields and functions are available to the template: # # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) # representing an HTTP request received by the server. # # Response: # struct { # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) # Size int // An int representing the size of the response. # Latency float64 // A float64 representing the latency of the response in seconds. # } # # Revision: # struct { # Name string // Knative revision name # Namespace string // Knative revision namespace # Service string // Knative service name # Configuration string // Knative configuration name # PodName string // Name of the pod hosting the revision # PodIP string // IP of the pod hosting the revision # } # logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}'
# If true, this enables queue proxy writing request logs for probe requests to stdout. # It uses the same template for user requests, i.e. logging.request-log-template. logging.enable-probe-request-log: "false"
# metrics.backend-destination field specifies the system metrics destination. # It supports either prometheus (the default) or stackdriver. # Note: Using stackdriver will incur additional charges metrics.backend-destination: prometheus
# metrics.request-metrics-backend-destination specifies the request metrics # destination. It enables queue proxy to send request metrics. # Currently supported values: prometheus (the default), stackdriver. metrics.request-metrics-backend-destination: prometheus
# metrics.stackdriver-project-id field specifies the stackdriver project ID. This # field is optional. When running on GCE, application default credentials will be # used if this field is not provided. metrics.stackdriver-project-id: ""
# metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to # Stackdriver using "global" resource type and custom metric type if the # metrics are not supported by "knative_revision" resource type. Setting this # flag to "true" could cause extra Stackdriver charge. # If metrics.backend-destination is not Stackdriver, this is ignored. metrics.allow-stackdriver-custom-metrics: "false"
# profiling.enable indicates whether it is allowed to retrieve runtime profiling data from # the pods via an HTTP server in the format expected by the pprof visualization tool. When # enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008. # The HTTP context root for profiling is then /debug/pprof/. profiling.enable: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-observability
namespace: knative-serving
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
#
# This may be "zipkin" or "stackdriver", the default is "none"
backend: "none"
# URL to zipkin collector where traces are sent.
# This must be specified when backend is "zipkin"
zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans"
# The GCP project into which stackdriver metrics will be written
# when backend is "stackdriver". If unspecified, the project-id
# is read from GCP metadata when running on GCP.
stackdriver-project-id: "my-project"
# Enable zipkin debug mode. This allows all spans to be sent to the server
# bypassing sampling.
debug: "false"
# Percentage (0-1) of requests to trace
sample-rate: "0.1"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-tracing
namespace: knative-serving
---
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: istio-webhook-certs
namespace: knative-serving
---
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: webhook-certs
namespace: knative-serving
---
apiVersion: v1
kind: Service
metadata:
labels:
app: activator
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: activator-service
namespace: knative-serving
spec:
ports:
- name: http
port: 80
targetPort: 8012
- name: http2
port: 81
targetPort: 8013
- name: http-profiling
port: 8008
targetPort: 8008
- name: http-metrics
port: 9090
targetPort: 9090
selector:
app: activator
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: autoscaler
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: autoscaler
namespace: knative-serving
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: http-profiling
port: 8008
targetPort: 8008
- name: http-metrics
port: 9090
targetPort: 9090
- name: https-custom-metrics
port: 443
targetPort: 8443
selector:
app: autoscaler
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: v1
kind: Service
metadata:
labels:
app: controller
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: controller
namespace: knative-serving
spec:
ports:
- name: http-profiling
port: 8008
targetPort: 8008
- name: http-metrics
port: 9090
targetPort: 9090
selector:
app: controller
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: istio-webhook
serving.knative.dev/release: v0.14.3
name: istio-webhook
namespace: knative-serving
spec:
ports:
- name: http-metrics
port: 9090
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: https-webhook
port: 443
targetPort: 8443
selector:
app: istio-webhook
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: webhook
serving.knative.dev/release: v0.14.3
name: webhook
namespace: knative-serving
spec:
ports:
- name: http-metrics
port: 9090
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: https-webhook
port: 443
targetPort: 8443
selector:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: activator
namespace: knative-serving
spec:
selector:
matchLabels:
app: activator
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: activator
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: activator
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: activator
serving.knative.dev/release: v0.14.3
spec:
containers:
- env:
- name: GOGC
value: "500"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/internal/serving
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-activator:special-3208b
livenessProbe:
httpGet:
httpHeaders:
- name: k-kubelet-probe
value: activator
port: 8012
name: activator
ports:
- containerPort: 8012
name: http1
- containerPort: 8013
name: h2c
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
readinessProbe:
httpGet:
httpHeaders:
- name: k-kubelet-probe
value: activator
port: 8012
resources:
limits:
cpu: 1000m
memory: 600Mi
requests:
cpu: 300m
memory: 60Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: controller
terminationGracePeriodSeconds: 300
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: autoscaler
namespace: knative-serving
spec:
replicas: 1
selector:
matchLabels:
app: autoscaler
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: autoscaler
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
spec:
containers:
- args:
- --secure-port=8443
- --cert-dir=/tmp
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/serving
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-autoscaler:special-4578f
livenessProbe:
httpGet:
httpHeaders:
- name: k-kubelet-probe
value: autoscaler
port: 8080
name: autoscaler
ports:
- containerPort: 8080
name: websocket
- containerPort: 9090
name: metrics
- containerPort: 8443
name: custom-metrics
- containerPort: 8008
name: profiling
readinessProbe:
httpGet:
httpHeaders:
- name: k-kubelet-probe
value: autoscaler
port: 8080
resources:
limits:
cpu: 300m
memory: 400Mi
requests:
cpu: 30m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: controller
namespace: knative-serving
spec:
selector:
matchLabels:
app: controller
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: controller
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/internal/serving
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-controller:special-9f8e4
name: controller
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: istio-webhook
namespace: knative-serving
spec:
selector:
matchLabels:
app: istio-webhook
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: istio-webhook
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: istio-webhook
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: istio-webhook
serving.knative.dev/release: v0.14.3
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/net-istio
- name: WEBHOOK_NAME
value: istio-webhook
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-webhook:special-6749b
name: webhook
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
- containerPort: 8443
name: https-webhook
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 20m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
networking.knative.dev/ingress-provider: istio
serving.knative.dev/release: v0.14.3
name: networking-istio
namespace: knative-serving
spec:
selector:
matchLabels:
app: networking-istio
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
sidecar.istio.io/inject: "false"
labels:
app: networking-istio
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/net-istio
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-controller:special-ba7fa
name: networking-istio
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
resources:
limits:
cpu: 300m
memory: 400Mi
requests:
cpu: 30m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: webhook
namespace: knative-serving
spec:
selector:
matchLabels:
app: webhook
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: webhook
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: webhook
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: webhook
serving.knative.dev/release: v0.14.3
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/serving
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-webhook:special-d1b48
name: webhook
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
- containerPort: 8443
name: https-webhook
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 20m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: controller
---
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: activator
namespace: knative-serving
spec:
maxReplicas: 20
metrics:
- resource:
name: cpu
targetAverageUtilization: 100
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: activator
---
apiVersion: caching.internal.knative.dev/v1alpha1
kind: Image
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: queue-proxy
namespace: knative-serving
spec:
image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:d066ae5b642885827506610ae25728d442ce11447b82df6e9cc4c174bb97ecb3
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
name: knative
namespace: knative-serving
spec:
host: '*.knative-serving.svc.cluster.local'
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
networking.knative.dev/ingress-provider: istio
serving.knative.dev/release: v0.14.3
name: cluster-local-gateway
namespace: knative-serving
spec:
selector:
istio: cluster-local-gateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
name: activator-service
namespace: knative-serving
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app: activator
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
name: autoscaler
namespace: knative-serving
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app: autoscaler
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
name: controller
namespace: knative-serving
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app: controller
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
name: istio-webhook
namespace: knative-serving
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app: istio-webhook
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
name: webhook
namespace: knative-serving
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
role: webhook
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: webhook.istio.networking.internal.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: istio-webhook
namespace: knative-serving
failurePolicy: Fail
name: webhook.istio.networking.internal.knative.dev
objectSelector:
matchExpressions:
- key: serving.knative.dev/configuration
operator: Exists
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: webhook.serving.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: webhook
namespace: knative-serving
failurePolicy: Fail
name: webhook.serving.knative.dev
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config.webhook.istio.networking.internal.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: istio-webhook
namespace: knative-serving
failurePolicy: Fail
name: config.webhook.istio.networking.internal.knative.dev
namespaceSelector:
matchExpressions:
- key: serving.knative.dev/release
operator: Exists
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config.webhook.serving.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: webhook
namespace: knative-serving
failurePolicy: Fail
name: config.webhook.serving.knative.dev
namespaceSelector:
matchExpressions:
- key: serving.knative.dev/release
operator: Exists
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: validation.webhook.serving.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: webhook
namespace: knative-serving
failurePolicy: Fail
name: validation.webhook.serving.knative.dev
sideEffects: None
================================================
FILE: manifest1.3/011-knative-knative-eventing-crds-base.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
labels:
eventing.knative.dev/release: v0.14.2
name: knative-eventing
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
registry.knative.dev/eventTypes: |
[
{ "type": "dev.knative.apiserver.resource.add" },
{ "type": "dev.knative.apiserver.resource.delete" },
{ "type": "dev.knative.apiserver.resource.update" },
{ "type": "dev.knative.apiserver.ref.add" },
{ "type": "dev.knative.apiserver.ref.delete" },
{ "type": "dev.knative.apiserver.ref.update" }
]
creationTimestamp: null
labels:
duck.knative.dev/source: "true"
eventing.knative.dev/release: v0.14.2
eventing.knative.dev/source: "true"
knative.dev/crd-install: "true"
name: apiserversources.sources.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
- JSONPath: .status.sinkUri
name: Sink
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: sources.knative.dev
names:
categories:
- all
- knative
- eventing
- sources
kind: ApiServerSource
plural: apiserversources
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1alpha2
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: brokers.eventing.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .status.address.url
name: URL
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: eventing.knative.dev
names:
categories:
- all
- knative
- eventing
kind: Broker
plural: brokers
singular: broker
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
messaging.knative.dev/subscribable: "true"
name: channels.messaging.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .status.address.url
name: URL
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: messaging.knative.dev
names:
categories:
- all
- knative
- messaging
- channel
kind: Channel
plural: channels
shortNames:
- ch
singular: channel
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
channelTemplate:
description: 'Channel implementation which dictates the durability guarantees of events. If not specified then the default channel is used. More information: https://knative.dev/docs/eventing/channels/default-channels.'
properties:
apiVersion:
description: API version of the channel implementation.
minLength: 1
type: string
kind:
description: Kind of the channel implementation to use (InMemoryChannel, KafkaChannel, etc.).
minLength: 1
type: string
spec:
type: object
required:
- apiVersion
- kind
type: object
subscribable:
properties:
subscribers:
description: Events received on the channel are forwarded to its subscribers.
items:
properties:
ref:
description: a reference to a Kubernetes object from which to retrieve the target URI.
properties:
apiVersion:
type: string
kind:
type: string
name:
minLength: 1
type: string
namespace:
minLength: 1
type: string
uid:
minLength: 1
type: string
required:
- namespace
- name
- uid
type: object
x-kubernetes-preserve-unknown-fields: true
replyURI:
description: Endpoint for the reply.
minLength: 1
type: string
subscriberURI:
description: Endpoint for the subscriber.
minLength: 1
type: string
uid:
description: Used to understand the origin of the subscriber.
minLength: 1
type: string
required:
- uid
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
- name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: configmappropagations.configs.internal.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .spec.originalNamespace
name: OriginalNamespace
type: string
group: configs.internal.knative.dev
names:
categories:
- knative-internal
kind: ConfigMapPropagation
plural: configmappropagations
shortNames:
- kcmp
- cmp
singular: configmappropagation
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
originalNamespace:
description: The namespace where original ConfigMaps exist in.
type: string
required:
- originalNamespace
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/source: "true"
eventing.knative.dev/release: v0.14.2
eventing.knative.dev/source: "true"
knative.dev/crd-install: "true"
name: containersources.sources.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
- JSONPath: .status.sinkUri
name: Sink
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: sources.knative.dev
names:
categories:
- all
- knative
- eventing
- sources
kind: ContainerSource
plural: containersources
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: eventtypes.eventing.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .spec.type
name: Type
type: string
- JSONPath: .spec.source
name: Source
type: string
- JSONPath: .spec.schema
name: Schema
type: string
- JSONPath: .spec.broker
name: Broker
type: string
- JSONPath: .spec.description
name: Description
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: eventing.knative.dev
names:
categories:
- all
- knative
- eventing
kind: EventType
plural: eventtypes
singular: eventtype
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
messaging.knative.dev/subscribable: "true"
name: inmemorychannels.messaging.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .status.address.url
name: URL
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: messaging.knative.dev
names:
categories:
- all
- knative
- messaging
- channel
kind: InMemoryChannel
plural: inmemorychannels
shortNames:
- imc
singular: inmemorychannel
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: parallels.flows.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .status.address.url
name: URL
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: flows.knative.dev
names:
categories:
- all
- knative
- eventing
- flows
kind: Parallel
plural: parallels
singular: parallel
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
registry.knative.dev/eventTypes: |
[
{ "type": "dev.knative.sources.ping" }
]
labels:
duck.knative.dev/source: "true"
eventing.knative.dev/release: v0.14.2
eventing.knative.dev/source: "true"
knative.dev/crd-install: "true"
name: pingsources.sources.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
- JSONPath: .status.sinkUri
name: Sink
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: sources.knative.dev
names:
categories:
- all
- knative
- eventing
- sources
kind: PingSource
plural: pingsources
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1alpha2
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: sequences.flows.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .status.address.url
name: URL
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: flows.knative.dev
names:
categories:
- all
- knative
- eventing
- flows
kind: Sequence
plural: sequences
singular: sequence
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
duck.knative.dev/binding: "true"
duck.knative.dev/source: "true"
eventing.knative.dev/release: v0.14.2
eventing.knative.dev/source: "true"
knative.dev/crd-install: "true"
name: sinkbindings.sources.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].reason
name: Reason
type: string
- JSONPath: .status.sinkUri
name: Sink
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: sources.knative.dev
names:
categories:
- all
- knative
- eventing
- sources
- bindings
kind: SinkBinding
plural: sinkbindings
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
versions:
- name: v1alpha1
served: true
storage: true
- name: v1alpha2
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: subscriptions.messaging.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: None
group: messaging.knative.dev
names:
categories:
- all
- knative
- eventing
kind: Subscription
plural: subscriptions
shortNames:
- sub
singular: subscription
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
channel:
description: Channel that forwards incoming events to the subscription.
properties:
apiVersion:
minLength: 1
type: string
kind:
type: string
name:
minLength: 1
type: string
required:
- apiVersion
- kind
- name
type: object
delivery:
description: 'Subscription delivery options. More information: https://knative.dev/docs/eventing/event-delivery.'
type: object
x-kubernetes-preserve-unknown-fields: true
reply:
description: the destination that (optionally) receive events.
properties:
ref:
description: a reference to a Kubernetes object from which to retrieve the target URI.
properties:
apiVersion:
minLength: 1
type: string
kind:
minLength: 1
type: string
name:
minLength: 1
type: string
namespace:
minLength: 1
type: string
required:
- apiVersion
- kind
- name
type: object
uri:
description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.
minLength: 1
type: string
type: object
subscriber:
description: the subscriber that (optionally) processes events.
properties:
ref:
description: a reference to a Kubernetes object from which to retrieve the target URI.
properties:
apiVersion:
minLength: 1
type: string
kind:
minLength: 1
type: string
name:
minLength: 1
type: string
namespace:
minLength: 1
type: string
required:
- apiVersion
- kind
- name
type: object
uri:
description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.
minLength: 1
type: string
type: object
required:
- channel
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
versions:
- name: v1alpha1
served: true
storage: true
- name: v1beta1
served: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/crd-install: "true"
name: triggers.eventing.knative.dev
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- JSONPath: .status.conditions[?(@.type=="Ready")].reason
name: Reason
type: string
- JSONPath: .spec.broker
name: Broker
type: string
- JSONPath: .status.subscriberUri
name: Subscriber_URI
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
conversion:
strategy: Webhook
webhookClientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
group: eventing.knative.dev
names:
categories:
- all
- knative
- eventing
kind: Trigger
plural: triggers
singular: trigger
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
broker:
description: Broker that this trigger receives events from. If not specified, will default to 'default'.
type: string
filter:
properties:
attributes:
additionalProperties:
type: string
description: Map of CloudEvents attributes used for filtering events.
type: object
sourceAndType:
properties:
source:
type: string
type:
type: string
type: object
type: object
subscriber:
description: the destination that should receive events.
properties:
ref:
description: a reference to a Kubernetes object from which to retrieve the target URI.
properties:
apiVersion:
minLength: 1
type: string
kind:
minLength: 1
type: string
name:
minLength: 1
type: string
namespace:
minLength: 1
type: string
required:
- apiVersion
- kind
- name
type: object
uri:
description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.
type: string
type: object
required:
- subscriber
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
- name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
properties:
broker:
description: Broker that this trigger receives events from. If not specified, will default to 'default'.
type: string
filter:
properties:
attributes:
additionalProperties:
type: string
description: Map of CloudEvents attributes used for filtering events.
type: object
type: object
subscriber:
description: the destination that should receive events.
properties:
ref:
description: a reference to a Kubernetes object from which to retrieve the target URI.
properties:
apiVersion:
minLength: 1
type: string
kind:
minLength: 1
type: string
name:
minLength: 1
type: string
namespace:
minLength: 1
type: string
required:
- apiVersion
- kind
- name
type: object
uri:
description: the target URI or, if ref is provided, a relative URI reference that will be combined with ref to produce a target URI.
type: string
type: object
required:
- subscriber
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
================================================
FILE: manifest1.3/012-knative-knative-eventing-install-base.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller
namespace: knative-eventing
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-webhook
namespace: knative-eventing
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-controller
namespace: knative-eventing
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-dispatcher
namespace: knative-eventing
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: pingsource-jobrunner
namespace: knative-eventing
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
duck.knative.dev/addressable: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: addressable-resolver
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: broker-addressable-resolver
rules:
- apiGroups:
- eventing.knative.dev
resources:
- brokers
- brokers/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/podspecable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: builtin-podspecable-binding
rules:
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- list
- watch
- patch
- apiGroups:
- batch
resources:
- jobs
verbs:
- list
- watch
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: channel-addressable-resolver
rules:
- apiGroups:
- messaging.knative.dev
resources:
- channels
- channels/status
verbs:
- get
- list
- watch
- apiGroups:
- messaging.knative.dev
resources:
- channels/finalizers
verbs:
- update
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
duck.knative.dev/channelable: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: channelable-manipulator
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-broker-filter
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- eventing.knative.dev
resources:
- triggers
- triggers/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-broker-ingress
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-config-reader
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/source: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-sources-source-observer
rules:
- apiGroups:
- sources.knative.dev
resources:
- apiserversources
- pingsources
- sinkbindings
- containersources
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: flows-addressable-resolver
rules:
- apiGroups:
- flows.knative.dev
resources:
- sequences
- sequences/status
- parallels
- parallels/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-addressable-resolver
rules:
- apiGroups:
- messaging.knative.dev
resources:
- inmemorychannels
- inmemorychannels/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/channelable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-channelable-manipulator
rules:
- apiGroups:
- messaging.knative.dev
resources:
- inmemorychannels
- inmemorychannels/status
verbs:
- create
- get
- list
- watch
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-controller
rules:
- apiGroups:
- messaging.knative.dev
resources:
- inmemorychannels
- inmemorychannels/status
verbs:
- get
- list
- watch
- update
- apiGroups:
- messaging.knative.dev
resources:
- inmemorychannels/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- services
- serviceaccounts
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- apps
resources:
- deployments/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-dispatcher
rules:
- apiGroups:
- messaging.knative.dev
resources:
- inmemorychannels
- inmemorychannels/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- messaging.knative.dev
resources:
- inmemorychannels/status
verbs:
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: knative-eventing-channel-broker-controller
rules:
- apiGroups:
- configs.internal.knative.dev
resources:
- configmappropagations
- configmappropagations/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- configs.internal.knative.dev
resources:
- configmappropagations/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- namespaces/finalizers
verbs:
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: knative-eventing-controller
rules:
- apiGroups:
- ""
resources:
- namespaces
- secrets
- configmaps
- services
- endpoints
- events
- serviceaccounts
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- eventing.knative.dev
resources:
- brokers
- brokers/status
- triggers
- triggers/status
- eventtypes
- eventtypes/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- eventing.knative.dev
resources:
- brokers/finalizers
- triggers/finalizers
verbs:
- update
- apiGroups:
- messaging.knative.dev
resources:
- sequences
- sequences/status
- channels
- channels/status
- parallels
- parallels/status
- subscriptions
- subscriptions/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- flows.knative.dev
resources:
- sequences
- sequences/status
- parallels
- parallels/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- messaging.knative.dev
resources:
- sequences/finalizers
- parallels/finalizers
- channels/finalizers
verbs:
- update
- apiGroups:
- flows.knative.dev
resources:
- sequences/finalizers
- parallels/finalizers
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: knative-eventing-jobrunner
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- sources.knative.dev
resources:
- pingsources
- pingsources/status
verbs:
- get
- list
- watch
- patch
- apiGroups:
- sources.knative.dev
resources:
- pingsources/finalizers
verbs:
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: knative-eventing-namespaced-admin
rules:
- apiGroups:
- eventing.knative.dev
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: knative-eventing-namespaced-edit
rules:
- apiGroups:
- eventing.knative.dev
- messaging.knative.dev
- flows.knative.dev
resources:
- '*'
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: knative-eventing-namespaced-view
rules:
- apiGroups:
- eventing.knative.dev
- messaging.knative.dev
- sources.knative.dev
- flows.knative.dev
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: knative-eventing-sources-controller
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
- services
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- sources.knative.dev
resources:
- sinkbindings
- sinkbindings/status
- sinkbindings/finalizers
- apiserversources
- apiserversources/status
- apiserversources/finalizers
- pingsources
- pingsources/status
- pingsources/finalizers
- containersources
- containersources/status
- containersources/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- serving.knative.dev
resources:
- services
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- eventing.knative.dev
resources:
- eventtypes
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: knative-eventing-webhook
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- apiGroups:
- apps
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- sources.knative.dev
resources:
- sinkbindings
- sinkbindings/status
- sinkbindings/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: knative-flows-namespaced-admin
rules:
- apiGroups:
- flows.knative.dev
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: knative-messaging-namespaced-admin
rules:
- apiGroups:
- messaging.knative.dev
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: knative-sources-namespaced-admin
rules:
- apiGroups:
- sources.knative.dev
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: messaging-addressable-resolver
rules:
- apiGroups:
- messaging.knative.dev
resources:
- sequences
- sequences/status
- parallels
- parallels/status
verbs:
- get
- list
- watch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
duck.knative.dev/podspecable: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: podspecable-binding
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: service-addressable-resolver
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
duck.knative.dev/addressable: "true"
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: serving-addressable-resolver
rules:
- apiGroups:
- serving.knative.dev
resources:
- routes
- routes/status
- services
- services/status
verbs:
- get
- list
- watch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
duck.knative.dev/source: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: source-observer
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-channel-broker-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knative-eventing-channel-broker-controller
subjects:
- kind: ServiceAccount
name: eventing-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knative-eventing-controller
subjects:
- kind: ServiceAccount
name: eventing-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller-manipulator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: channelable-manipulator
subjects:
- kind: ServiceAccount
name: eventing-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller-resolver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: addressable-resolver
subjects:
- kind: ServiceAccount
name: eventing-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller-source-observer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: source-observer
subjects:
- kind: ServiceAccount
name: eventing-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller-sources-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knative-eventing-sources-controller
subjects:
- kind: ServiceAccount
name: eventing-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knative-eventing-webhook
subjects:
- kind: ServiceAccount
name: eventing-webhook
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-webhook-podspecable-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: podspecable-binding
subjects:
- kind: ServiceAccount
name: eventing-webhook
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-webhook-resolver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: addressable-resolver
subjects:
- kind: ServiceAccount
name: eventing-webhook
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: imc-controller
subjects:
- kind: ServiceAccount
name: imc-controller
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-dispatcher
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: imc-dispatcher
subjects:
- kind: ServiceAccount
name: imc-dispatcher
namespace: knative-eventing
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: pingsource-jobrunner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: knative-eventing-jobrunner
subjects:
- kind: ServiceAccount
name: pingsource-jobrunner
namespace: knative-eventing
---
apiVersion: v1
data:
channelTemplateSpec: |
apiVersion: messaging.knative.dev/v1alpha1
kind: InMemoryChannel
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: config-br-default-channel
namespace: knative-eventing
---
apiVersion: v1
data:
default-br-config: |
clusterDefault:
brokerClass: ChannelBasedBroker
apiVersion: v1
kind: ConfigMap
name: config-br-default-channel
namespace: knative-eventing
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: config-br-defaults
namespace: knative-eventing
---
apiVersion: v1
data:
MaxIdleConnections: "1000"
MaxIdleConnectionsPerHost: "100"
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: config-imc-event-dispatcher
namespace: knative-eventing
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# resourceLock controls which API resource is used as the basis for the
# leader election lock. Valid values are:
#
# - leases -> use the coordination API
# - configmaps -> use configmaps
# - endpoints -> use endpoints
resourceLock: "leases"
# leaseDuration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
leaseDuration: "15s"
# renewDeadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renewDeadline: "10s"
# retryPeriod is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kuberntes controllers.
retryPeriod: "2s"
# enabledComponents is a comma-delimited list of component names for which
# leader election is enabled. Valid values are:
#
# - controller
# - broker-controller
# - inmemorychannel-dispatcher
# - inmemorychannel-controller
enabledComponents: "controller,broker-controller,inmemorychannel-dispatcher,inmemorychannel-controller"
leaseDuration: 15s
renewDeadline: 10s
resourceLock: leases
retryPeriod: 2s
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: config-leader-election
namespace: knative-eventing
---
apiVersion: v1
data:
loglevel.controller: info
loglevel.webhook: info
zap-logger-config: |
{
"level": "info",
"development": false,
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "ts",
"levelKey": "level",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "msg",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "iso8601",
"durationEncoder": "",
"callerEncoder": ""
}
}
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/config-category: eventing
knative.dev/config-propagation: original
kustomize.component: knative
name: config-logging
namespace: knative-eventing
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# metrics.backend-destination field specifies the system metrics destination.
# It supports either prometheus (the default) or stackdriver.
# Note: Using stackdriver will incur additional charges
metrics.backend-destination: prometheus
# metrics.request-metrics-backend-destination specifies the request metrics
# destination. If non-empty, it enables queue proxy to send request metrics.
# Currently supported values: prometheus, stackdriver.
metrics.request-metrics-backend-destination: prometheus
# metrics.stackdriver-project-id field specifies the stackdriver project ID. This
# field is optional. When running on GCE, application default credentials will be
# used if this field is not provided.
metrics.stackdriver-project-id: ""
# metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
# Stackdriver using "global" resource type and custom metric type if the
# metrics are not supported by "knative_broker", "knative_trigger", and "knative_source" resource types.
# Setting this flag to "true" could cause extra Stackdriver charge.
# If metrics.backend-destination is not Stackdriver, this is ignored.
metrics.allow-stackdriver-custom-metrics: "false"
# profiling.enable indicates whether it is allowed to retrieve runtime profiling data from
# the pods via an HTTP server in the format expected by the pprof visualization tool. When
# enabled, the Knative Eventing pods expose the profiling data on an alternate HTTP port 8008.
# The HTTP context root for profiling is then /debug/pprof/.
profiling.enable: "false"
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/config-category: eventing
knative.dev/config-propagation: original
kustomize.component: knative
name: config-observability
namespace: knative-eventing
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
#
# This may be "zipkin" or "stackdriver", the default is "none"
backend: "none"
# URL to zipkin collector where traces are sent.
# This must be specified when backend is "zipkin"
zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans"
# The GCP project into which stackdriver metrics will be written
# when backend is "stackdriver". If unspecified, the project-id
# is read from GCP metadata when running on GCP.
stackdriver-project-id: "my-project"
# Enable zipkin debug mode. This allows all spans to be sent to the server
# bypassing sampling.
debug: "false"
# Percentage (0-1) of requests to trace
sample-rate: "0.1"
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
knative.dev/config-category: eventing
knative.dev/config-propagation: original
kustomize.component: knative
name: config-tracing
namespace: knative-eventing
---
apiVersion: v1
data:
default-ch-config: |
clusterDefault:
apiVersion: messaging.knative.dev/v1beta1
kind: InMemoryChannel
namespaceDefaults:
some-namespace:
apiVersion: messaging.knative.dev/v1beta1
kind: InMemoryChannel
kind: ConfigMap
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: default-ch-webhook
namespace: knative-eventing
---
apiVersion: v1
kind: Secret
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-webhook-certs
namespace: knative-eventing
---
apiVersion: v1
kind: Service
metadata:
labels:
eventing.knative.dev/brokerRole: filter
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: broker-filter
namespace: knative-eventing
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: http-metrics
port: 9090
protocol: TCP
targetPort: 9090
selector:
eventing.knative.dev/brokerRole: filter
kustomize.component: knative
---
apiVersion: v1
kind: Service
metadata:
labels:
eventing.knative.dev/brokerRole: ingress
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: broker-ingress
namespace: knative-eventing
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: http-metrics
port: 9090
protocol: TCP
targetPort: 9090
selector:
eventing.knative.dev/brokerRole: ingress
kustomize.component: knative
---
apiVersion: v1
kind: Service
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
role: eventing-webhook
name: eventing-webhook
namespace: knative-eventing
spec:
ports:
- name: https-webhook
port: 443
targetPort: 8443
selector:
kustomize.component: knative
role: eventing-webhook
---
apiVersion: v1
kind: Service
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
messaging.knative.dev/channel: in-memory-channel
messaging.knative.dev/role: dispatcher
name: imc-dispatcher
namespace: knative-eventing
spec:
ports:
- name: http-dispatcher
port: 80
protocol: TCP
targetPort: 8080
selector:
kustomize.component: knative
messaging.knative.dev/channel: in-memory-channel
messaging.knative.dev/role: dispatcher
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: broker-controller
namespace: knative-eventing
spec:
replicas: 1
selector:
matchLabels:
app: broker-controller
kustomize.component: knative
template:
metadata:
labels:
app: broker-controller
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/eventing
- name: BROKER_INGRESS_IMAGE
value: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/ingress@sha256:cfdaf7a48a22e3bab15e6b15e7ee387eb6406e00e9e4942e58b4a7bc8c2df3cf
- name: BROKER_INGRESS_SERVICE_ACCOUNT
value: eventing-broker-ingress
- name: BROKER_FILTER_IMAGE
value: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/filter@sha256:ad578e71aad9c040087dd621fddd73f70ede4d03ae5425c79e8995d06ebb8aca
- name: BROKER_FILTER_SERVICE_ACCOUNT
value: eventing-broker-filter
- name: BROKER_IMAGE_PULL_SECRET_NAME
value: null
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-channel_broker:special-740ce
name: eventing-controller
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: eventing-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-controller
namespace: knative-eventing
spec:
replicas: 1
selector:
matchLabels:
app: eventing-controller
kustomize.component: knative
template:
metadata:
labels:
app: eventing-controller
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/eventing
- name: PING_IMAGE
value: gcr.io/knative-releases/knative.dev/eventing/cmd/ping/adapter@sha256:c7272752928f6eeb9a66cf47c00b2d295ffb8517f2033dbbc8a5f461f6adafc2
- name: JOB_RUNNER_IMAGE
value: gcr.io/knative-releases/knative.dev/eventing/cmd/ping/jobrunner@sha256:b47877189b1e0f23c2617875574b16505251ae45ea091969332266621af99af8
- name: APISERVER_RA_IMAGE
value: gcr.io/knative-releases/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:717e08da76235229c5664240351ece8c70767768437c0a6d498210cdcc182f14
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-controller:special-a8863
name: eventing-controller
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: eventing-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: eventing-webhook
namespace: knative-eventing
spec:
replicas: 1
selector:
matchLabels:
app: eventing-webhook
kustomize.component: knative
role: eventing-webhook
template:
metadata:
labels:
app: eventing-webhook
kustomize.component: knative
role: eventing-webhook
spec:
containers:
- env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: METRICS_DOMAIN
value: knative.dev/eventing
- name: WEBHOOK_NAME
value: eventing-webhook
- name: SINK_BINDING_SELECTION_MODE
value: exclusion
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/cmd-webhook:special-fcf31
name: eventing-webhook
ports:
- containerPort: 8443
name: https-webhook
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 20m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: eventing-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-controller
namespace: knative-eventing
spec:
replicas: 1
selector:
matchLabels:
kustomize.component: knative
messaging.knative.dev/channel: in-memory-channel
messaging.knative.dev/role: controller
template:
metadata:
labels:
kustomize.component: knative
messaging.knative.dev/channel: in-memory-channel
messaging.knative.dev/role: controller
spec:
containers:
- env:
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/inmemorychannel-controller
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: DISPATCHER_IMAGE
value: registry.cn-shenzhen.aliyuncs.com/tensorbytes/in_memory-channel_dispatcher:special-6f8a5
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/in_memory-channel_controller:special-4135b
name: controller
ports:
- containerPort: 9090
name: metrics
- containerPort: 8008
name: profiling
securityContext:
allowPrivilegeEscalation: false
serviceAccountName: imc-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: imc-dispatcher
namespace: knative-eventing
spec:
replicas: 1
selector:
matchLabels:
kustomize.component: knative
messaging.knative.dev/channel: in-memory-channel
messaging.knative.dev/role: dispatcher
template:
metadata:
labels:
kustomize.component: knative
messaging.knative.dev/channel: in-memory-channel
messaging.knative.dev/role: dispatcher
spec:
containers:
- env:
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/inmemorychannel-dispatcher
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/in_memory-channel_dispatcher:special-6f8a5
name: dispatcher
ports:
- containerPort: 9090
name: metrics
serviceAccountName: imc-dispatcher
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: sinkbindings.webhook.sources.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
failurePolicy: Fail
name: sinkbindings.webhook.sources.knative.dev
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: webhook.eventing.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
failurePolicy: Fail
name: webhook.eventing.knative.dev
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: config.webhook.eventing.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
failurePolicy: Fail
name: config.webhook.eventing.knative.dev
namespaceSelector:
matchExpressions:
- key: eventing.knative.dev/release
operator: Exists
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
eventing.knative.dev/release: v0.14.2
kustomize.component: knative
name: validation.webhook.eventing.knative.dev
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: eventing-webhook
namespace: knative-eventing
failurePolicy: Fail
name: validation.webhook.eventing.knative.dev
sideEffects: None
================================================
FILE: manifest1.3/013-istio-1-9-0-cluster-local-gateway-base.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: cluster-local-gateway
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: cluster-local-gateway-service-account
namespace: istio-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: cluster-local-gateway-sds
namespace: istio-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: cluster-local-gateway-sds
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cluster-local-gateway-sds
subjects:
- kind: ServiceAccount
name: cluster-local-gateway-service-account
namespace: istio-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cluster-local-gateway
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: cluster-local-gateway
namespace: istio-system
spec:
ports:
- name: status-port
port: 15020
protocol: TCP
targetPort: 15020
- name: http2
port: 80
protocol: TCP
targetPort: 8080
selector:
app: cluster-local-gateway
istio: cluster-local-gateway
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cluster-local-gateway
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: cluster-local-gateway
namespace: istio-system
spec:
selector:
matchLabels:
app: cluster-local-gateway
istio: cluster-local-gateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: cluster-local-gateway
chart: gateways
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
service.istio.io/canonical-name: cluster-local-gateway
service.istio.io/canonical-revision: latest
sidecar.istio.io/inject: "false"
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --serviceCluster
- cluster-local-gateway
env:
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: cluster-local-gateway
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74
name: istio-proxy
ports:
- containerPort: 15020
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/secrets/tokens
name: istio-token
readOnly: true
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
securityContext:
fsGroup: 1337
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: cluster-local-gateway-service-account
volumes:
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
- path: cpu-limit
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: limits.cpu
- path: cpu-request
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: requests.cpu
name: podinfo
- emptyDir: {}
name: istio-envoy
- emptyDir: {}
name: istio-data
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio
optional: true
name: config-volume
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
labels:
release: istio
name: cluster-local-gateway
namespace: istio-system
spec:
selector:
app: cluster-local-gateway
istio: cluster-local-gateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: cluster-local-gateway
namespace: istio-system
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
app: cluster-local-gateway
istio: cluster-local-gateway
================================================
FILE: manifest1.3/014-kubeflow-namespace-kubeflow-namespace-base.yaml
================================================
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: kubeflow
istio-injection: enabled
katib-metricscollector-injection: enabled
name: kubeflow
================================================
FILE: manifest1.3/015-kubeflow-roles-kubeflow-roles-base.yaml
================================================
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeflow-admin
rules: []
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-edit
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-kubernetes-admin
rules:
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: kubeflow-kubernetes-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-kubernetes-view
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: kubeflow-view
rules: []
================================================
FILE: manifest1.3/016-istio-1-9-0-kubeflow-istio-resources-base.yaml
================================================
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-istio-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
name: kubeflow-istio-edit
rules:
- apiGroups:
- istio.io
- networking.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-istio-view
rules:
- apiGroups:
- istio.io
- networking.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kubeflow-gateway
namespace: kubeflow
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
================================================
FILE: manifest1.3/017-pipeline-env-platform-agnostic-multi-user.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: clusterworkflowtemplates.argoproj.io
spec:
group: argoproj.io
names:
kind: ClusterWorkflowTemplate
listKind: ClusterWorkflowTemplateList
plural: clusterworkflowtemplates
shortNames:
- clusterwftmpl
- cwft
singular: clusterworkflowtemplate
scope: Cluster
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
name: compositecontrollers.metacontroller.k8s.io
spec:
group: metacontroller.k8s.io
names:
kind: CompositeController
plural: compositecontrollers
shortNames:
- cc
- cctl
singular: compositecontroller
scope: Cluster
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
name: controllerrevisions.metacontroller.k8s.io
spec:
group: metacontroller.k8s.io
names:
kind: ControllerRevision
plural: controllerrevisions
singular: controllerrevision
scope: Namespaced
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: cronworkflows.argoproj.io
spec:
group: argoproj.io
names:
kind: CronWorkflow
listKind: CronWorkflowList
plural: cronworkflows
shortNames:
- cwf
- cronwf
singular: cronworkflow
scope: Namespaced
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
name: decoratorcontrollers.metacontroller.k8s.io
spec:
group: metacontroller.k8s.io
names:
kind: DecoratorController
plural: decoratorcontrollers
shortNames:
- dec
- decorators
singular: decoratorcontroller
scope: Cluster
version: v1alpha1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: scheduledworkflows.kubeflow.org
spec:
group: kubeflow.org
names:
kind: ScheduledWorkflow
listKind: ScheduledWorkflowList
plural: scheduledworkflows
shortNames:
- swf
singular: scheduledworkflow
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: viewers.kubeflow.org
spec:
group: kubeflow.org
names:
kind: Viewer
listKind: ViewerList
plural: viewers
shortNames:
- vi
singular: viewer
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workfloweventbindings.argoproj.io
spec:
group: argoproj.io
names:
kind: WorkflowEventBinding
listKind: WorkflowEventBindingList
plural: workfloweventbindings
shortNames:
- wfeb
singular: workfloweventbinding
scope: Namespaced
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflows.argoproj.io
spec:
additionalPrinterColumns:
- JSONPath: .status.phase
description: Status of the workflow
name: Status
type: string
- JSONPath: .status.startedAt
description: When the workflow was started
format: date-time
name: Age
type: date
group: argoproj.io
names:
kind: Workflow
listKind: WorkflowList
plural: workflows
shortNames:
- wf
singular: workflow
scope: Namespaced
subresources: {}
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflowtemplates.argoproj.io
spec:
group: argoproj.io
names:
kind: WorkflowTemplate
listKind: WorkflowTemplateList
plural: workflowtemplates
shortNames:
- wftmpl
singular: workflowtemplate
scope: Namespaced
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: argo
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-deployer-sa
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-container-builder
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-metadata-writer
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-viewer
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
name: meta-controller-service
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: metadata-grpc-server
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-persistenceagent
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-scheduledworkflow
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-viewer-crd-service-account
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-visualizationserver
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: mysql
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: pipeline-runner
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: argo-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: cache-deployer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-deployer-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- patch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: kubeflow-pipelines-metadata-writer-role
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-metadata-writer-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: ml-pipeline
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- delete
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows
verbs:
- create
- get
- list
- update
- patch
- delete
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-persistenceagent-role
namespace: kubeflow
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: ml-pipeline-scheduledworkflow-role
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-scheduledworkflow-role
namespace: kubeflow
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- kubeflow.org
resources:
- viewers
verbs:
- create
- get
- list
- watch
- delete
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-viewer-controller-role
namespace: kubeflow
rules:
- apiGroups:
- '*'
resources:
- deployments
- services
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- viewers
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: pipeline-runner
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- persistentvolumes
- persistentvolumeclaims
verbs:
- '*'
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- delete
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- pods
- pods/exec
- pods/log
- services
verbs:
- '*'
- apiGroups:
- ""
- apps
- extensions
resources:
- deployments
- replicasets
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- '*'
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
verbs:
- '*'
- apiGroups:
- machinelearning.seldon.io
resources:
- seldondeployments
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true"
name: aggregate-to-kubeflow-pipelines-edit
rules:
- apiGroups:
- pipelines.kubeflow.org
resources:
- pipelines
- pipelines/versions
verbs:
- create
- delete
- update
- apiGroups:
- pipelines.kubeflow.org
resources:
- experiments
verbs:
- archive
- create
- delete
- unarchive
- apiGroups:
- pipelines.kubeflow.org
resources:
- runs
verbs:
- archive
- create
- delete
- retry
- terminate
- unarchive
- apiGroups:
- pipelines.kubeflow.org
resources:
- jobs
verbs:
- create
- delete
- disable
- enable
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: "true"
name: aggregate-to-kubeflow-pipelines-view
rules:
- apiGroups:
- pipelines.kubeflow.org
resources:
- pipelines
- pipelines/versions
- experiments
- runs
- jobs
verbs:
- get
- list
- apiGroups:
- kubeflow.org
resources:
- viewers
verbs:
- create
- get
- delete
- apiGroups:
- pipelines.kubeflow.org
resources:
- visualizations
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
application-crd-id: kubeflow-pipelines
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: argo-aggregate-to-admin
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
application-crd-id: kubeflow-pipelines
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: argo-aggregate-to-edit
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
application-crd-id: kubeflow-pipelines
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: argo-aggregate-to-view
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: argo-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
verbs:
- get
- list
- watch
- update
- patch
- delete
- create
- apiGroups:
- argoproj.io
resources:
- workflowtemplates
- workflowtemplates/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- apiGroups:
- argoproj.io
resources:
- cronworkflows
- cronworkflows/finalizers
verbs:
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kubeflow-pipelines-cache-deployer-clusterrole
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-deployer-clusterrole
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/*
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- update
- patch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: kubeflow-pipelines-edit
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-metadata-writer-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- update
- patch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-pipelines-view
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-persistenceagent-role
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
- watch
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-scheduledworkflow-role
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- kubeflow.org
resources:
- viewers
verbs:
- create
- get
- list
- watch
- delete
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-viewer-controller-role
rules:
- apiGroups:
- '*'
resources:
- deployments
- services
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- viewers
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- delete
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- kubeflow.org
resources:
- scheduledworkflows
verbs:
- create
- get
- list
- update
- patch
- delete
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: argo-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-role
subjects:
- kind: ServiceAccount
name: argo
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubeflow-pipelines-cache-role
subjects:
- kind: ServiceAccount
name: kubeflow-pipelines-cache
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: cache-deployer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-deployer-rolebinding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubeflow-pipelines-cache-deployer-role
subjects:
- kind: ServiceAccount
name: kubeflow-pipelines-cache-deployer-sa
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-metadata-writer-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubeflow-pipelines-metadata-writer-role
subjects:
- kind: ServiceAccount
name: kubeflow-pipelines-metadata-writer
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: ml-pipeline
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ml-pipeline
subjects:
- kind: ServiceAccount
name: ml-pipeline
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-persistenceagent-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ml-pipeline-persistenceagent-role
subjects:
- kind: ServiceAccount
name: ml-pipeline-persistenceagent
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-scheduledworkflow-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ml-pipeline-scheduledworkflow-role
subjects:
- kind: ServiceAccount
name: ml-pipeline-scheduledworkflow
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ml-pipeline-ui
subjects:
- kind: ServiceAccount
name: ml-pipeline-ui
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-viewer-crd-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ml-pipeline-viewer-controller-role
subjects:
- kind: ServiceAccount
name: ml-pipeline-viewer-crd-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: pipeline-runner-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pipeline-runner
subjects:
- kind: ServiceAccount
name: pipeline-runner
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: argo-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cluster-role
subjects:
- kind: ServiceAccount
name: argo
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeflow-pipelines-cache-role
subjects:
- kind: ServiceAccount
name: kubeflow-pipelines-cache
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-cache-deployer-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeflow-pipelines-cache-deployer-clusterrole
subjects:
- kind: ServiceAccount
name: kubeflow-pipelines-cache-deployer-sa
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-metadata-writer-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeflow-pipelines-metadata-writer-role
subjects:
- kind: ServiceAccount
name: kubeflow-pipelines-metadata-writer
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
name: meta-controller-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: meta-controller-service
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-persistenceagent-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ml-pipeline-persistenceagent-role
subjects:
- kind: ServiceAccount
name: ml-pipeline-persistenceagent
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-scheduledworkflow-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ml-pipeline-scheduledworkflow-role
subjects:
- kind: ServiceAccount
name: ml-pipeline-scheduledworkflow
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ml-pipeline-ui
subjects:
- kind: ServiceAccount
name: ml-pipeline-ui
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-viewer-crd-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ml-pipeline-viewer-controller-role
subjects:
- kind: ServiceAccount
name: ml-pipeline-viewer-crd-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ml-pipeline
subjects:
- kind: ServiceAccount
name: ml-pipeline
namespace: kubeflow
---
apiVersion: v1
data:
sync.py: |
# Copyright 2020-2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from http.server import BaseHTTPRequestHandler, HTTPServer
import json
import os
import base64
kfp_version = os.environ["KFP_VERSION"]
disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true"
mlpipeline_minio_access_key = base64.b64encode(
bytes(os.environ.get("MINIO_ACCESS_KEY"), 'utf-8')).decode('utf-8')
mlpipeline_minio_secret_key = base64.b64encode(
bytes(os.environ.get("MINIO_SECRET_KEY"), 'utf-8')).decode('utf-8')
class Controller(BaseHTTPRequestHandler):
def sync(self, parent, children):
pipeline_enabled = parent.get("metadata", {}).get(
"labels", {}).get("pipelines.kubeflow.org/enabled")
if pipeline_enabled != "true":
return {"status": {}, "children": []}
# Compute status based on observed state.
desired_status = {
"kubeflow-pipelines-ready": \
len(children["Secret.v1"]) == 1 and \
len(children["ConfigMap.v1"]) == 1 and \
len(children["Deployment.apps/v1"]) == 2 and \
len(children["Service.v1"]) == 2 and \
len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and \
len(children["AuthorizationPolicy.security.istio.io/v1beta1"]) == 1 and \
"True" or "False"
}
# Generate the desired child object(s).
# parent is a namespace
namespace = parent.get("metadata", {}).get("name")
desired_resources = [
{
"apiVersion": "v1",
"kind": "ConfigMap",
"metadata": {
"name": "metadata-grpc-configmap",
"namespace": namespace,
},
"data": {
"METADATA_GRPC_SERVICE_HOST":
"metadata-grpc-service.kubeflow",
"METADATA_GRPC_SERVICE_PORT": "8080",
},
},
# Visualization server related manifests below
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"app": "ml-pipeline-visualizationserver"
},
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"selector": {
"matchLabels": {
"app": "ml-pipeline-visualizationserver"
},
},
"template": {
"metadata": {
"labels": {
"app": "ml-pipeline-visualizationserver"
},
"annotations": disable_istio_sidecar and {
"sidecar.istio.io/inject": "false"
} or {},
},
"spec": {
"containers": [{
"image":
"gcr.io/ml-pipeline/visualization-server:" +
kfp_version,
"imagePullPolicy":
"IfNotPresent",
"name":
"ml-pipeline-visualizationserver",
"ports": [{
"containerPort": 8888
}],
"resources": {
"requests": {
"cpu": "50m",
"memory": "200Mi"
},
"limits": {
"cpu": "500m",
"memory": "1Gi"
},
}
}],
"serviceAccountName":
"default-editor",
},
},
},
},
{
"apiVersion": "networking.istio.io/v1alpha3",
"kind": "DestinationRule",
"metadata": {
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"host": "ml-pipeline-visualizationserver",
"trafficPolicy": {
"tls": {
"mode": "ISTIO_MUTUAL"
}
}
}
},
{
"apiVersion": "security.istio.io/v1beta1",
"kind": "AuthorizationPolicy",
"metadata": {
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"selector": {
"matchLabels": {
"app": "ml-pipeline-visualizationserver"
}
},
"rules": [{
"from": [{
"source": {
"principals": ["cluster.local/ns/kubeflow/sa/ml-pipeline"]
}
}]
}]
}
},
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"ports": [{
"name": "http",
"port": 8888,
"protocol": "TCP",
"targetPort": 8888,
}],
"selector": {
"app": "ml-pipeline-visualizationserver",
},
},
},
# Artifact fetcher related resources below.
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"app": "ml-pipeline-ui-artifact"
},
"name": "ml-pipeline-ui-artifact",
"namespace": namespace,
},
"spec": {
"selector": {
"matchLabels": {
"app": "ml-pipeline-ui-artifact"
}
},
"template": {
"metadata": {
"labels": {
"app": "ml-pipeline-ui-artifact"
},
"annotations": disable_istio_sidecar and {
"sidecar.istio.io/inject": "false"
} or {},
},
"spec": {
"containers": [{
"name":
"ml-pipeline-ui-artifact",
"image":
"gcr.io/ml-pipeline/frontend:" + kfp_version,
"imagePullPolicy":
"IfNotPresent",
"ports": [{
"containerPort": 3000
}],
"resources": {
"requests": {
"cpu": "10m",
"memory": "70Mi"
},
"limits": {
"cpu": "100m",
"memory": "500Mi"
},
}
}],
"serviceAccountName":
"default-editor"
}
}
}
},
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"name": "ml-pipeline-ui-artifact",
"namespace": namespace,
"labels": {
"app": "ml-pipeline-ui-artifact"
}
},
"spec": {
"ports": [{
"name":
"http", # name is required to let istio understand request protocol
"port": 80,
"protocol": "TCP",
"targetPort": 3000
}],
"selector": {
"app": "ml-pipeline-ui-artifact"
}
}
},
]
print('Received request:', parent)
print('Desired resources except secrets:', desired_resources)
# Moved after the print argument because this is sensitive data.
desired_resources.append({
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": "mlpipeline-minio-artifact",
"namespace": namespace,
},
"data": {
"accesskey": mlpipeline_minio_access_key,
"secretkey": mlpipeline_minio_secret_key,
},
})
return {"status": desired_status, "children": desired_resources}
def do_POST(self):
# Serve the sync() function as a JSON webhook.
observed = json.loads(
self.rfile.read(int(self.headers.get("content-length"))))
desired = self.sync(observed["parent"], observed["children"])
self.send_response(200)
self.send_header("Content-type", "application/json")
self.end_headers()
self.wfile.write(bytes(json.dumps(desired), 'utf-8'))
HTTPServer(("", 8080), Controller).serve_forever()
kind: ConfigMap
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4
namespace: kubeflow
---
apiVersion: v1
data:
DISABLE_ISTIO_SIDECAR: "false"
kind: ConfigMap
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller-env-5252m69c4c
namespace: kubeflow
---
apiVersion: v1
data:
METADATA_GRPC_SERVICE_HOST: metadata-grpc-service
METADATA_GRPC_SERVICE_PORT: "8080"
kind: ConfigMap
metadata:
labels:
application-crd-id: kubeflow-pipelines
component: metadata-grpc-server
name: metadata-grpc-configmap
namespace: kubeflow
---
apiVersion: v1
data:
viewer-pod-template.json: |-
{
"spec": {
"serviceAccountName": "default-editor"
}
}
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui-configmap
namespace: kubeflow
---
apiVersion: v1
data:
DEFAULTPIPELINERUNNERSERVICEACCOUNT: default-editor
MULTIUSER: "true"
VISUALIZATIONSERVICE_NAME: ml-pipeline-visualizationserver
VISUALIZATIONSERVICE_PORT: "8888"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: pipeline-api-server-config-dc9hkg52h6
namespace: kubeflow
---
apiVersion: v1
data:
appName: pipeline
appVersion: 1.5.0-rc.2
autoUpdatePipelineDefaultVersion: "true"
bucketName: mlpipeline
cacheDb: cachedb
cacheImage: gcr.io/google-containers/busybox
cronScheduleTimezone: UTC
dbHost: mysql
dbPort: "3306"
mlmdDb: metadb
pipelineDb: mlpipeline
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: pipeline-install-config
namespace: kubeflow
---
apiVersion: v1
data:
artifactRepository: |
archiveLogs: true
s3:
endpoint: "minio-service.kubeflow:9000"
bucket: "mlpipeline"
keyFormat: "artifacts/{{workflow.name}}/{{pod.name}}"
# insecure will disable TLS. Primarily used for minio installs not configured with TLS
insecure: true
accessKeySecret:
name: mlpipeline-minio-artifact
key: accesskey
secretKeySecret:
name: mlpipeline-minio-artifact
key: secretkey
containerRuntimeExecutor: docker
kind: ConfigMap
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflow-controller-configmap
namespace: kubeflow
---
apiVersion: v1
kind: Secret
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: mlpipeline-minio-artifact
namespace: kubeflow
stringData:
accesskey: minio
secretkey: minio123
---
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: mysql-secret
namespace: kubeflow
stringData:
password: ""
username: root
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: cache-server
namespace: kubeflow
spec:
ports:
- port: 443
targetPort: webhook-api
selector:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller
namespace: kubeflow
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
app: metadata-envoy
application-crd-id: kubeflow-pipelines
name: metadata-envoy-service
namespace: kubeflow
spec:
ports:
- name: md-envoy
port: 9090
protocol: TCP
selector:
application-crd-id: kubeflow-pipelines
component: metadata-envoy
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: metadata
application-crd-id: kubeflow-pipelines
name: metadata-grpc-service
namespace: kubeflow
spec:
ports:
- name: grpc-api
port: 8080
protocol: TCP
selector:
application-crd-id: kubeflow-pipelines
component: metadata-grpc-server
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: minio-service
namespace: kubeflow
spec:
ports:
- name: http
port: 9000
protocol: TCP
targetPort: 9000
selector:
app: minio
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
spec:
ports:
- name: http
port: 8888
protocol: TCP
targetPort: 8888
- name: grpc
port: 8887
protocol: TCP
targetPort: 8887
selector:
app: ml-pipeline
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 3000
selector:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-visualizationserver
namespace: kubeflow
spec:
ports:
- name: http
port: 8888
protocol: TCP
targetPort: 8888
selector:
app: ml-pipeline-visualizationserver
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: mysql
namespace: kubeflow
spec:
ports:
- port: 3306
protocol: TCP
targetPort: 3306
selector:
app: mysql
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflow-controller-metrics
namespace: kubeflow
spec:
ports:
- name: metrics
port: 9090
protocol: TCP
targetPort: 9090
selector:
app: workflow-controller
application-crd-id: kubeflow-pipelines
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: minio-pvc
namespace: kubeflow
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: mysql-pv-claim
namespace: kubeflow
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cache-deployer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: cache-deployer-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: cache-deployer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
strategy:
type: Recreate
template:
metadata:
labels:
app: cache-deployer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: NAMESPACE_TO_WATCH
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-cache-deployer:1.5.0-rc.2-deb1e
imagePullPolicy: Always
name: main
restartPolicy: Always
serviceAccountName: kubeflow-pipelines-cache-deployer-sa
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: cache-server
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --db_driver=$(DBCONFIG_DRIVER)
- --db_host=$(DBCONFIG_HOST_NAME)
- --db_port=$(DBCONFIG_PORT)
- --db_name=$(DBCONFIG_DB_NAME)
- --db_user=$(DBCONFIG_USER)
- --db_password=$(DBCONFIG_PASSWORD)
- --namespace_to_watch=$(NAMESPACE_TO_WATCH)
env:
- name: NAMESPACE_TO_WATCH
value: ""
- name: CACHE_IMAGE
valueFrom:
configMapKeyRef:
key: cacheImage
name: pipeline-install-config
- name: DBCONFIG_DRIVER
value: mysql
- name: DBCONFIG_DB_NAME
valueFrom:
configMapKeyRef:
key: cacheDb
name: pipeline-install-config
- name: DBCONFIG_HOST_NAME
valueFrom:
configMapKeyRef:
key: dbHost
name: pipeline-install-config
- name: DBCONFIG_PORT
valueFrom:
configMapKeyRef:
key: dbPort
name: pipeline-install-config
- name: DBCONFIG_USER
valueFrom:
secretKeyRef:
key: username
name: mysql-secret
- name: DBCONFIG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysql-secret
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-cache-server:1.5.0-rc.2-a44df
imagePullPolicy: Always
name: server
ports:
- containerPort: 8443
name: webhook-api
volumeMounts:
- mountPath: /etc/webhook/certs
name: webhook-tls-certs
readOnly: true
serviceAccountName: kubeflow-pipelines-cache
volumes:
- name: webhook-tls-certs
secret:
secretName: webhook-server-tls
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- command:
- python
- /hooks/sync.py
env:
- name: KFP_VERSION
valueFrom:
configMapKeyRef:
key: appVersion
name: pipeline-install-config
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: mlpipeline-minio-artifact
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: mlpipeline-minio-artifact
envFrom:
- configMapRef:
name: kubeflow-pipelines-profile-controller-env-5252m69c4c
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/python:3.7-3a781
name: profile-controller
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /hooks
name: hooks
volumes:
- configMap:
name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4
name: hooks
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application-crd-id: kubeflow-pipelines
component: metadata-envoy
name: metadata-envoy-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
application-crd-id: kubeflow-pipelines
component: metadata-envoy
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
application-crd-id: kubeflow-pipelines
component: metadata-envoy
spec:
containers:
- image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-metadata-envoy:1.5.0-rc.2-050d1
name: container
ports:
- containerPort: 9090
name: md-envoy
- containerPort: 9901
name: envoy-admin
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application-crd-id: kubeflow-pipelines
component: metadata-grpc-server
name: metadata-grpc-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
application-crd-id: kubeflow-pipelines
component: metadata-grpc-server
template:
metadata:
labels:
application-crd-id: kubeflow-pipelines
component: metadata-grpc-server
spec:
containers:
- args:
- --grpc_port=8080
- --mysql_config_database=$(MYSQL_DATABASE)
- --mysql_config_host=$(MYSQL_HOST)
- --mysql_config_port=$(MYSQL_PORT)
- --mysql_config_user=$(DBCONFIG_USER)
- --mysql_config_password=$(DBCONFIG_PASSWORD)
- --enable_database_upgrade=true
command:
- /bin/metadata_store_server
env:
- name: DBCONFIG_USER
valueFrom:
secretKeyRef:
key: username
name: mysql-secret
- name: DBCONFIG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysql-secret
- name: MYSQL_DATABASE
valueFrom:
configMapKeyRef:
key: mlmdDb
name: pipeline-install-config
- name: MYSQL_HOST
valueFrom:
configMapKeyRef:
key: dbHost
name: pipeline-install-config
- name: MYSQL_PORT
valueFrom:
configMapKeyRef:
key: dbPort
name: pipeline-install-config
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/tfx-oss-public-ml_metadata_store_server:0.25.1-66134
livenessProbe:
initialDelaySeconds: 3
periodSeconds: 5
tcpSocket:
port: grpc-api
timeoutSeconds: 2
name: container
ports:
- containerPort: 8080
name: grpc-api
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 5
tcpSocket:
port: grpc-api
timeoutSeconds: 2
serviceAccountName: metadata-grpc-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: metadata-writer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: metadata-writer
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: metadata-writer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
labels:
app: metadata-writer
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: NAMESPACE_TO_WATCH
value: ""
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-metadata-writer:1.5.0-rc.2-6e1cc
name: main
serviceAccountName: kubeflow-pipelines-metadata-writer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: minio
application-crd-id: kubeflow-pipelines
name: minio
namespace: kubeflow
spec:
selector:
matchLabels:
app: minio
application-crd-id: kubeflow-pipelines
strategy:
type: Recreate
template:
metadata:
labels:
app: minio
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- server
- /data
env:
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: mlpipeline-minio-artifact
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: mlpipeline-minio-artifact
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-minio:RELEASE.2019-08-14T20-37-41Z-license-compliance-290a7
name: minio
ports:
- containerPort: 9000
resources:
requests:
cpu: 20m
memory: 100Mi
volumeMounts:
- mountPath: /data
name: data
subPath: minio
volumes:
- name: data
persistentVolumeClaim:
claimName: minio-pvc
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ml-pipeline
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: ml-pipeline
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: KUBEFLOW_USERID_HEADER
value: kubeflow-userid
- name: KUBEFLOW_USERID_PREFIX
value: ""
- name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION
valueFrom:
configMapKeyRef:
key: autoUpdatePipelineDefaultVersion
name: pipeline-install-config
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OBJECTSTORECONFIG_SECURE
value: "false"
- name: OBJECTSTORECONFIG_BUCKETNAME
valueFrom:
configMapKeyRef:
key: bucketName
name: pipeline-install-config
- name: DBCONFIG_USER
valueFrom:
secretKeyRef:
key: username
name: mysql-secret
- name: DBCONFIG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysql-secret
- name: DBCONFIG_DBNAME
valueFrom:
configMapKeyRef:
key: pipelineDb
name: pipeline-install-config
- name: DBCONFIG_HOST
valueFrom:
configMapKeyRef:
key: dbHost
name: pipeline-install-config
- name: DBCONFIG_PORT
valueFrom:
configMapKeyRef:
key: dbPort
name: pipeline-install-config
- name: OBJECTSTORECONFIG_ACCESSKEY
valueFrom:
secretKeyRef:
key: accesskey
name: mlpipeline-minio-artifact
- name: OBJECTSTORECONFIG_SECRETACCESSKEY
valueFrom:
secretKeyRef:
key: secretkey
name: mlpipeline-minio-artifact
envFrom:
- configMapRef:
name: pipeline-api-server-config-dc9hkg52h6
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-api-server:1.5.0-rc.2-081bf
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
name: ml-pipeline-api-server
ports:
- containerPort: 8888
name: http
- containerPort: 8887
name: grpc
readinessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
resources:
requests:
cpu: 250m
memory: 500Mi
serviceAccountName: ml-pipeline
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ml-pipeline-persistenceagent
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-persistenceagent
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-persistenceagent
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: ml-pipeline-persistenceagent
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: NAMESPACE
value: ""
- name: TTL_SECONDS_AFTER_WORKFLOW_FINISH
value: "86400"
- name: NUM_WORKERS
value: "2"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-persistenceagent:1.5.0-rc.2-afb97
imagePullPolicy: IfNotPresent
name: ml-pipeline-persistenceagent
resources:
requests:
cpu: 120m
memory: 500Mi
serviceAccountName: ml-pipeline-persistenceagent
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ml-pipeline-scheduledworkflow
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-scheduledworkflow
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-scheduledworkflow
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: ml-pipeline-scheduledworkflow
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: NAMESPACE
value: ""
- name: CRON_SCHEDULE_TIMEZONE
valueFrom:
configMapKeyRef:
key: cronScheduleTimezone
name: pipeline-install-config
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-scheduledworkflow:1.5.0-rc.2-d9b87
imagePullPolicy: IfNotPresent
name: ml-pipeline-scheduledworkflow
serviceAccountName: ml-pipeline-scheduledworkflow
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: ml-pipeline-ui
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
value: /etc/config/viewer-pod-template.json
- name: DEPLOYMENT
value: KUBEFLOW
- name: ARTIFACTS_SERVICE_PROXY_NAME
value: ml-pipeline-ui-artifact
- name: ARTIFACTS_SERVICE_PROXY_PORT
value: "80"
- name: ARTIFACTS_SERVICE_PROXY_ENABLED
value: "true"
- name: ENABLE_AUTHZ
value: "true"
- name: KUBEFLOW_USERID_HEADER
value: kubeflow-userid
- name: KUBEFLOW_USERID_PREFIX
value: ""
- name: MINIO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: mlpipeline-minio-artifact
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: mlpipeline-minio-artifact
- name: ALLOW_CUSTOM_VISUALIZATIONS
value: "true"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-frontend:1.5.0-rc.2-34ae9
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:3000/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
name: ml-pipeline-ui
ports:
- containerPort: 3000
readinessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:3000/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
resources:
requests:
cpu: 10m
memory: 70Mi
volumeMounts:
- mountPath: /etc/config
name: config-volume
readOnly: true
serviceAccountName: ml-pipeline-ui
volumes:
- configMap:
name: ml-pipeline-ui-configmap
name: config-volume
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ml-pipeline-viewer-crd
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-viewer-crd
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-viewer-crd
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: ml-pipeline-viewer-crd
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- env:
- name: NAMESPACE
value: ""
- name: MAX_NUM_VIEWERS
value: "50"
- name: MINIO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-viewer-crd-controller:1.5.0-rc.2-4a500
imagePullPolicy: Always
name: ml-pipeline-viewer-crd
serviceAccountName: ml-pipeline-viewer-crd-service-account
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ml-pipeline-visualizationserver
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-visualizationserver
namespace: kubeflow
spec:
selector:
matchLabels:
app: ml-pipeline-visualizationserver
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: ml-pipeline-visualizationserver
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-visualization-server:1.5.0-rc.2-03636
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
name: ml-pipeline-visualizationserver
ports:
- containerPort: 8888
name: http
readinessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
resources:
requests:
cpu: 30m
memory: 500Mi
serviceAccountName: ml-pipeline-visualizationserver
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mysql
application-crd-id: kubeflow-pipelines
name: mysql
namespace: kubeflow
spec:
selector:
matchLabels:
app: mysql
application-crd-id: kubeflow-pipelines
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --ignore-db-dir=lost+found
- --datadir
- /var/lib/mysql
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "true"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-mysql:5.7-f8fcd
name: mysql
ports:
- containerPort: 3306
name: mysql
resources:
requests:
cpu: 100m
memory: 800Mi
volumeMounts:
- mountPath: /var/lib/mysql
name: mysql-persistent-storage
serviceAccountName: mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflow-controller
namespace: kubeflow
spec:
selector:
matchLabels:
app: workflow-controller
application-crd-id: kubeflow-pipelines
template:
metadata:
labels:
app: workflow-controller
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --configmap
- workflow-controller-configmap
- --executor-image
- gcr.io/ml-pipeline/argoexec:v2.12.9-license-compliance
command:
- workflow-controller
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-workflow-controller:v2.12.9-license-compliance-2d9c1
livenessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 30
periodSeconds: 30
name: workflow-controller
ports:
- containerPort: 9090
name: metrics
resources:
requests:
cpu: 100m
memory: 500Mi
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: argo
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: metacontroller
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
name: metacontroller
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: metacontroller
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
serviceName: ""
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: metacontroller
application-crd-id: kubeflow-pipelines
kustomize.component: metacontroller
spec:
containers:
- command:
- /usr/bin/metacontroller
- --logtostderr
- -v=4
- --discovery-interval=20s
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/metacontroller-metacontroller:v0.3.0-5f0e4
imagePullPolicy: Always
name: metacontroller
ports:
- containerPort: 2345
resources:
limits:
cpu: "4"
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi
securityContext:
allowPrivilegeEscalation: true
privileged: true
serviceAccountName: meta-controller-service
volumeClaimTemplates: []
---
apiVersion: metacontroller.k8s.io/v1alpha1
kind: CompositeController
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller
namespace: kubeflow
spec:
childResources:
- apiVersion: v1
resource: secrets
updateStrategy:
method: OnDelete
- apiVersion: v1
resource: configmaps
updateStrategy:
method: OnDelete
- apiVersion: apps/v1
resource: deployments
updateStrategy:
method: InPlace
- apiVersion: v1
resource: services
updateStrategy:
method: InPlace
- apiVersion: networking.istio.io/v1alpha3
resource: destinationrules
updateStrategy:
method: InPlace
- apiVersion: security.istio.io/v1beta1
resource: authorizationpolicies
updateStrategy:
method: InPlace
generateSelector: true
hooks:
sync:
webhook:
url: http://kubeflow-pipelines-profile-controller/sync
parentResource:
apiVersion: v1
resource: namespaces
resyncPeriodSeconds: 10
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
spec:
host: ml-pipeline.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: ml-pipeline-minio
namespace: kubeflow
spec:
host: minio-service.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: ml-pipeline-mysql
namespace: kubeflow
spec:
host: mysql.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
spec:
host: ml-pipeline-ui.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-visualizationserver
namespace: kubeflow
spec:
host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: metadata-grpc
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /ml_metadata
rewrite:
uri: /ml_metadata
route:
- destination:
host: ml-pipeline-ui.kubeflow.svc.cluster.local
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /pipeline
rewrite:
uri: /pipeline
route:
- destination:
host: ml-pipeline-ui.kubeflow.svc.cluster.local
port:
number: 80
timeout: 300s
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: metadata-grpc-service
namespace: kubeflow
spec:
action: ALLOW
rules:
- {}
selector:
matchLabels:
component: metadata-grpc-server
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: minio-service
namespace: kubeflow
spec:
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
- {}
selector:
matchLabels:
app: minio
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline
namespace: kubeflow
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
- cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
- when:
- key: request.headers[kubeflow-userid]
notValues:
- '*'
selector:
matchLabels:
app: ml-pipeline
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-ui
namespace: kubeflow
spec:
rules:
- from:
- source:
namespaces:
- istio-system
selector:
matchLabels:
app: ml-pipeline-ui
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: ml-pipeline-visualizationserver
namespace: kubeflow
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
- cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
selector:
matchLabels:
app: ml-pipeline-visualizationserver
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: mysql
namespace: kubeflow
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/ml-pipeline
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
- cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
- cluster.local/ns/kubeflow/sa/metadata-grpc-server
selector:
matchLabels:
app: mysql
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: service-cache-server
namespace: kubeflow
spec:
rules:
- {}
selector:
matchLabels:
app: cache-server
================================================
FILE: manifest1.3/018-kfserving-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/serving-cert
controller-gen.kubebuilder.io/version: v0.3.1-0.20200528125929-5c0c6ae3b64b
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: inferenceservices.serving.kubeflow.org
spec:
conversion:
conversionReviewVersions:
- v1alpha2
- v1beta1
strategy: Webhook
webhookClientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /convert
group: serving.kubeflow.org
names:
kind: InferenceService
listKind: InferenceServiceList
plural: inferenceservices
shortNames:
- isvc
singular: inferenceservice
preserveUnknownFields: false
scope: Namespaced
subresources:
status: {}
version: v1alpha2
versions:
- additionalPrinterColumns:
- JSONPath: .status.url
name: URL
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.traffic
name: Default Traffic
type: integer
- JSONPath: .status.canaryTraffic
name: Canary Traffic
type: integer
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
canary:
properties:
explainer:
properties:
aix:
properties:
config:
additionalProperties:
type: string
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
type:
type: string
required:
- type
type: object
alibi:
properties:
config:
additionalProperties:
type: string
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
type:
type: string
required:
- type
type: object
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
custom:
properties:
container:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
required:
- container
type: object
logger:
properties:
mode:
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
parallelism:
type: integer
serviceAccountName:
type: string
type: object
predictor:
properties:
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
custom:
properties:
container:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
required:
- container
type: object
lightgbm:
properties:
nthread:
type: integer
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
logger:
properties:
mode:
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
onnx:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
parallelism:
type: integer
pmml:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
pytorch:
properties:
modelClassName:
type: string
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
serviceAccountName:
type: string
sklearn:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
tensorflow:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
triton:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
xgboost:
properties:
nthread:
type: integer
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
type: object
transformer:
properties:
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
custom:
properties:
container:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
required:
- container
type: object
logger:
properties:
mode:
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
parallelism:
type: integer
serviceAccountName:
type: string
type: object
required:
- predictor
type: object
canaryTrafficPercent:
type: integer
default:
properties:
explainer:
properties:
aix:
properties:
config:
additionalProperties:
type: string
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
type:
type: string
required:
- type
type: object
alibi:
properties:
config:
additionalProperties:
type: string
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
type:
type: string
required:
- type
type: object
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
custom:
properties:
container:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
required:
- container
type: object
logger:
properties:
mode:
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
parallelism:
type: integer
serviceAccountName:
type: string
type: object
predictor:
properties:
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
custom:
properties:
container:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
required:
- container
type: object
lightgbm:
properties:
nthread:
type: integer
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
logger:
properties:
mode:
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
onnx:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
parallelism:
type: integer
pmml:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
pytorch:
properties:
modelClassName:
type: string
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
serviceAccountName:
type: string
sklearn:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
tensorflow:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
triton:
properties:
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
xgboost:
properties:
nthread:
type: integer
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
storageUri:
type: string
required:
- storageUri
type: object
type: object
transformer:
properties:
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
custom:
properties:
container:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
required:
- container
type: object
logger:
properties:
mode:
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
parallelism:
type: integer
serviceAccountName:
type: string
type: object
required:
- predictor
type: object
required:
- default
type: object
status:
properties:
address:
properties:
url:
type: string
type: object
annotations:
additionalProperties:
type: string
type: object
canary:
additionalProperties:
properties:
host:
type: string
name:
type: string
type: object
type: object
canaryTraffic:
type: integer
conditions:
items:
properties:
lastTransitionTime:
type: string
message:
type: string
reason:
type: string
severity:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
default:
additionalProperties:
properties:
host:
type: string
name:
type: string
type: object
type: object
observedGeneration:
format: int64
type: integer
traffic:
type: integer
url:
type: string
type: object
type: object
served: true
storage: false
- additionalPrinterColumns:
- JSONPath: .status.url
name: URL
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .status.components.predictor.traffic[?(@.tag=='prev')].percent
name: Prev
type: integer
- JSONPath: .status.components.predictor.traffic[?(@.latestRevision==true)].percent
name: Latest
type: integer
- JSONPath: .status.components.predictor.traffic[?(@.tag=='prev')].revisionName
name: PrevRolledoutRevision
type: string
- JSONPath: .status.components.predictor.traffic[?(@.latestRevision==true)].revisionName
name: LatestReadyRevision
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
explainer:
properties:
activeDeadlineSeconds:
format: int64
type: integer
affinity:
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
aix:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
config:
additionalProperties:
type: string
type: object
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
type:
type: string
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
alibi:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
config:
additionalProperties:
type: string
type: object
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
type:
type: string
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
art:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
config:
additionalProperties:
type: string
type: object
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
type:
type: string
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
automountServiceAccountToken:
type: boolean
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
canaryTrafficPercent:
format: int64
type: integer
containerConcurrency:
format: int64
type: integer
containers:
items:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
type: array
dnsConfig:
properties:
nameservers:
items:
type: string
type: array
options:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
searches:
items:
type: string
type: array
type: object
dnsPolicy:
type: string
enableServiceLinks:
type: boolean
hostAliases:
items:
properties:
hostnames:
items:
type: string
type: array
ip:
type: string
type: object
type: array
hostIPC:
type: boolean
hostNetwork:
type: boolean
hostPID:
type: boolean
hostname:
type: string
imagePullSecrets:
items:
properties:
name:
type: string
type: object
type: array
logger:
properties:
mode:
enum:
- all
- request
- response
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
nodeName:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
overhead:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
preemptionPolicy:
type: string
priority:
format: int32
type: integer
priorityClassName:
type: string
readinessGates:
items:
properties:
conditionType:
type: string
required:
- conditionType
type: object
type: array
restartPolicy:
type: string
runtimeClassName:
type: string
schedulerName:
type: string
securityContext:
properties:
fsGroup:
format: int64
type: integer
fsGroupChangePolicy:
type: string
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
supplementalGroups:
items:
format: int64
type: integer
type: array
sysctls:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
serviceAccount:
type: string
serviceAccountName:
type: string
setHostnameAsFQDN:
type: boolean
shareProcessNamespace:
type: boolean
subdomain:
type: string
terminationGracePeriodSeconds:
format: int64
type: integer
timeout:
format: int64
type: integer
tolerations:
items:
properties:
effect:
type: string
key:
type: string
operator:
type: string
tolerationSeconds:
format: int64
type: integer
value:
type: string
type: object
type: array
topologySpreadConstraints:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
maxSkew:
format: int32
type: integer
topologyKey:
type: string
whenUnsatisfiable:
type: string
required:
- maxSkew
- topologyKey
- whenUnsatisfiable
type: object
type: array
x-kubernetes-list-map-keys:
- topologyKey
- whenUnsatisfiable
x-kubernetes-list-type: map
volumes:
items:
properties:
awsElasticBlockStore:
properties:
fsType:
type: string
partition:
format: int32
type: integer
readOnly:
type: boolean
volumeID:
type: string
required:
- volumeID
type: object
azureDisk:
properties:
cachingMode:
type: string
diskName:
type: string
diskURI:
type: string
fsType:
type: string
kind:
type: string
readOnly:
type: boolean
required:
- diskName
- diskURI
type: object
azureFile:
properties:
readOnly:
type: boolean
secretName:
type: string
shareName:
type: string
required:
- secretName
- shareName
type: object
cephfs:
properties:
monitors:
items:
type: string
type: array
path:
type: string
readOnly:
type: boolean
secretFile:
type: string
secretRef:
properties:
name:
type: string
type: object
user:
type: string
required:
- monitors
type: object
cinder:
properties:
fsType:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeID:
type: string
required:
- volumeID
type: object
configMap:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
csi:
properties:
driver:
type: string
fsType:
type: string
nodePublishSecretRef:
properties:
name:
type: string
type: object
readOnly:
type: boolean
volumeAttributes:
additionalProperties:
type: string
type: object
required:
- driver
type: object
downwardAPI:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
mode:
format: int32
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
emptyDir:
properties:
medium:
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
properties:
readOnly:
type: boolean
volumeClaimTemplate:
properties:
metadata:
type: object
spec:
properties:
accessModes:
items:
type: string
type: array
dataSource:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
required:
- kind
- name
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
storageClassName:
type: string
volumeMode:
type: string
volumeName:
type: string
type: object
required:
- spec
type: object
type: object
fc:
properties:
fsType:
type: string
lun:
format: int32
type: integer
readOnly:
type: boolean
targetWWNs:
items:
type: string
type: array
wwids:
items:
type: string
type: array
type: object
flexVolume:
properties:
driver:
type: string
fsType:
type: string
options:
additionalProperties:
type: string
type: object
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
required:
- driver
type: object
flocker:
properties:
datasetName:
type: string
datasetUUID:
type: string
type: object
gcePersistentDisk:
properties:
fsType:
type: string
partition:
format: int32
type: integer
pdName:
type: string
readOnly:
type: boolean
required:
- pdName
type: object
gitRepo:
properties:
directory:
type: string
repository:
type: string
revision:
type: string
required:
- repository
type: object
glusterfs:
properties:
endpoints:
type: string
path:
type: string
readOnly:
type: boolean
required:
- endpoints
- path
type: object
hostPath:
properties:
path:
type: string
type:
type: string
required:
- path
type: object
iscsi:
properties:
chapAuthDiscovery:
type: boolean
chapAuthSession:
type: boolean
fsType:
type: string
initiatorName:
type: string
iqn:
type: string
iscsiInterface:
type: string
lun:
format: int32
type: integer
portals:
items:
type: string
type: array
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
targetPortal:
type: string
required:
- iqn
- lun
- targetPortal
type: object
name:
type: string
nfs:
properties:
path:
type: string
readOnly:
type: boolean
server:
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
properties:
claimName:
type: string
readOnly:
type: boolean
required:
- claimName
type: object
photonPersistentDisk:
properties:
fsType:
type: string
pdID:
type: string
required:
- pdID
type: object
portworxVolume:
properties:
fsType:
type: string
readOnly:
type: boolean
volumeID:
type: string
required:
- volumeID
type: object
projected:
properties:
defaultMode:
format: int32
type: integer
sources:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
mode:
format: int32
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
serviceAccountToken:
properties:
audience:
type: string
expirationSeconds:
format: int64
type: integer
path:
type: string
required:
- path
type: object
type: object
type: array
required:
- sources
type: object
quobyte:
properties:
group:
type: string
readOnly:
type: boolean
registry:
type: string
tenant:
type: string
user:
type: string
volume:
type: string
required:
- registry
- volume
type: object
rbd:
properties:
fsType:
type: string
image:
type: string
keyring:
type: string
monitors:
items:
type: string
type: array
pool:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
user:
type: string
required:
- image
- monitors
type: object
scaleIO:
properties:
fsType:
type: string
gateway:
type: string
protectionDomain:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
sslEnabled:
type: boolean
storageMode:
type: string
storagePool:
type: string
system:
type: string
volumeName:
type: string
required:
- gateway
- secretRef
- system
type: object
secret:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
optional:
type: boolean
secretName:
type: string
type: object
storageos:
properties:
fsType:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeName:
type: string
volumeNamespace:
type: string
type: object
vsphereVolume:
properties:
fsType:
type: string
storagePolicyID:
type: string
storagePolicyName:
type: string
volumePath:
type: string
required:
- volumePath
type: object
required:
- name
type: object
type: array
type: object
predictor:
properties:
activeDeadlineSeconds:
format: int64
type: integer
affinity:
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
automountServiceAccountToken:
type: boolean
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
canaryTrafficPercent:
format: int64
type: integer
containerConcurrency:
format: int64
type: integer
containers:
items:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
type: array
dnsConfig:
properties:
nameservers:
items:
type: string
type: array
options:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
searches:
items:
type: string
type: array
type: object
dnsPolicy:
type: string
enableServiceLinks:
type: boolean
hostAliases:
items:
properties:
hostnames:
items:
type: string
type: array
ip:
type: string
type: object
type: array
hostIPC:
type: boolean
hostNetwork:
type: boolean
hostPID:
type: boolean
hostname:
type: string
imagePullSecrets:
items:
properties:
name:
type: string
type: object
type: array
lightgbm:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
logger:
properties:
mode:
enum:
- all
- request
- response
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
nodeName:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
onnx:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
overhead:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
pmml:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
preemptionPolicy:
type: string
priority:
format: int32
type: integer
priorityClassName:
type: string
pytorch:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
modelClassName:
type: string
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
readinessGates:
items:
properties:
conditionType:
type: string
required:
- conditionType
type: object
type: array
restartPolicy:
type: string
runtimeClassName:
type: string
schedulerName:
type: string
securityContext:
properties:
fsGroup:
format: int64
type: integer
fsGroupChangePolicy:
type: string
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
supplementalGroups:
items:
format: int64
type: integer
type: array
sysctls:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
serviceAccount:
type: string
serviceAccountName:
type: string
setHostnameAsFQDN:
type: boolean
shareProcessNamespace:
type: boolean
sklearn:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
subdomain:
type: string
tensorflow:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
terminationGracePeriodSeconds:
format: int64
type: integer
timeout:
format: int64
type: integer
tolerations:
items:
properties:
effect:
type: string
key:
type: string
operator:
type: string
tolerationSeconds:
format: int64
type: integer
value:
type: string
type: object
type: array
topologySpreadConstraints:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
maxSkew:
format: int32
type: integer
topologyKey:
type: string
whenUnsatisfiable:
type: string
required:
- maxSkew
- topologyKey
- whenUnsatisfiable
type: object
type: array
x-kubernetes-list-map-keys:
- topologyKey
- whenUnsatisfiable
x-kubernetes-list-type: map
triton:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
volumes:
items:
properties:
awsElasticBlockStore:
properties:
fsType:
type: string
partition:
format: int32
type: integer
readOnly:
type: boolean
volumeID:
type: string
required:
- volumeID
type: object
azureDisk:
properties:
cachingMode:
type: string
diskName:
type: string
diskURI:
type: string
fsType:
type: string
kind:
type: string
readOnly:
type: boolean
required:
- diskName
- diskURI
type: object
azureFile:
properties:
readOnly:
type: boolean
secretName:
type: string
shareName:
type: string
required:
- secretName
- shareName
type: object
cephfs:
properties:
monitors:
items:
type: string
type: array
path:
type: string
readOnly:
type: boolean
secretFile:
type: string
secretRef:
properties:
name:
type: string
type: object
user:
type: string
required:
- monitors
type: object
cinder:
properties:
fsType:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeID:
type: string
required:
- volumeID
type: object
configMap:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
csi:
properties:
driver:
type: string
fsType:
type: string
nodePublishSecretRef:
properties:
name:
type: string
type: object
readOnly:
type: boolean
volumeAttributes:
additionalProperties:
type: string
type: object
required:
- driver
type: object
downwardAPI:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
mode:
format: int32
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
emptyDir:
properties:
medium:
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
properties:
readOnly:
type: boolean
volumeClaimTemplate:
properties:
metadata:
type: object
spec:
properties:
accessModes:
items:
type: string
type: array
dataSource:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
required:
- kind
- name
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
storageClassName:
type: string
volumeMode:
type: string
volumeName:
type: string
type: object
required:
- spec
type: object
type: object
fc:
properties:
fsType:
type: string
lun:
format: int32
type: integer
readOnly:
type: boolean
targetWWNs:
items:
type: string
type: array
wwids:
items:
type: string
type: array
type: object
flexVolume:
properties:
driver:
type: string
fsType:
type: string
options:
additionalProperties:
type: string
type: object
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
required:
- driver
type: object
flocker:
properties:
datasetName:
type: string
datasetUUID:
type: string
type: object
gcePersistentDisk:
properties:
fsType:
type: string
partition:
format: int32
type: integer
pdName:
type: string
readOnly:
type: boolean
required:
- pdName
type: object
gitRepo:
properties:
directory:
type: string
repository:
type: string
revision:
type: string
required:
- repository
type: object
glusterfs:
properties:
endpoints:
type: string
path:
type: string
readOnly:
type: boolean
required:
- endpoints
- path
type: object
hostPath:
properties:
path:
type: string
type:
type: string
required:
- path
type: object
iscsi:
properties:
chapAuthDiscovery:
type: boolean
chapAuthSession:
type: boolean
fsType:
type: string
initiatorName:
type: string
iqn:
type: string
iscsiInterface:
type: string
lun:
format: int32
type: integer
portals:
items:
type: string
type: array
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
targetPortal:
type: string
required:
- iqn
- lun
- targetPortal
type: object
name:
type: string
nfs:
properties:
path:
type: string
readOnly:
type: boolean
server:
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
properties:
claimName:
type: string
readOnly:
type: boolean
required:
- claimName
type: object
photonPersistentDisk:
properties:
fsType:
type: string
pdID:
type: string
required:
- pdID
type: object
portworxVolume:
properties:
fsType:
type: string
readOnly:
type: boolean
volumeID:
type: string
required:
- volumeID
type: object
projected:
properties:
defaultMode:
format: int32
type: integer
sources:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
mode:
format: int32
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
serviceAccountToken:
properties:
audience:
type: string
expirationSeconds:
format: int64
type: integer
path:
type: string
required:
- path
type: object
type: object
type: array
required:
- sources
type: object
quobyte:
properties:
group:
type: string
readOnly:
type: boolean
registry:
type: string
tenant:
type: string
user:
type: string
volume:
type: string
required:
- registry
- volume
type: object
rbd:
properties:
fsType:
type: string
image:
type: string
keyring:
type: string
monitors:
items:
type: string
type: array
pool:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
user:
type: string
required:
- image
- monitors
type: object
scaleIO:
properties:
fsType:
type: string
gateway:
type: string
protectionDomain:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
sslEnabled:
type: boolean
storageMode:
type: string
storagePool:
type: string
system:
type: string
volumeName:
type: string
required:
- gateway
- secretRef
- system
type: object
secret:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
optional:
type: boolean
secretName:
type: string
type: object
storageos:
properties:
fsType:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeName:
type: string
volumeNamespace:
type: string
type: object
vsphereVolume:
properties:
fsType:
type: string
storagePolicyID:
type: string
storagePolicyName:
type: string
volumePath:
type: string
required:
- volumePath
type: object
required:
- name
type: object
type: array
xgboost:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
protocolVersion:
type: string
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
runtimeVersion:
type: string
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
storageUri:
type: string
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
type: object
type: object
transformer:
properties:
activeDeadlineSeconds:
format: int64
type: integer
affinity:
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
automountServiceAccountToken:
type: boolean
batcher:
properties:
maxBatchSize:
type: integer
maxLatency:
type: integer
timeout:
type: integer
type: object
canaryTrafficPercent:
format: int64
type: integer
containerConcurrency:
format: int64
type: integer
containers:
items:
properties:
args:
items:
type: string
type: array
command:
items:
type: string
type: array
env:
items:
properties:
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
secretKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
items:
properties:
configMapRef:
properties:
name:
type: string
optional:
type: boolean
type: object
prefix:
type: string
secretRef:
properties:
name:
type: string
optional:
type: boolean
type: object
type: object
type: array
image:
type: string
imagePullPolicy:
type: string
lifecycle:
properties:
postStart:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
type: object
livenessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
name:
type: string
ports:
items:
properties:
containerPort:
format: int32
type: integer
hostIP:
type: string
hostPort:
format: int32
type: integer
name:
type: string
protocol:
type: string
required:
- containerPort
- protocol
type: object
type: array
x-kubernetes-list-map-keys:
- containerPort
- protocol
x-kubernetes-list-type: map
readinessProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
startupProbe:
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
type: integer
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
path:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
scheme:
type: string
required:
- port
type: object
initialDelaySeconds:
format: int32
type: integer
periodSeconds:
format: int32
type: integer
successThreshold:
format: int32
type: integer
tcpSocket:
properties:
host:
type: string
port:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
timeoutSeconds:
format: int32
type: integer
type: object
stdin:
type: boolean
stdinOnce:
type: boolean
terminationMessagePath:
type: string
terminationMessagePolicy:
type: string
tty:
type: boolean
volumeDevices:
items:
properties:
devicePath:
type: string
name:
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
type: boolean
subPath:
type: string
subPathExpr:
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
type: string
required:
- name
type: object
type: array
dnsConfig:
properties:
nameservers:
items:
type: string
type: array
options:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
searches:
items:
type: string
type: array
type: object
dnsPolicy:
type: string
enableServiceLinks:
type: boolean
hostAliases:
items:
properties:
hostnames:
items:
type: string
type: array
ip:
type: string
type: object
type: array
hostIPC:
type: boolean
hostNetwork:
type: boolean
hostPID:
type: boolean
hostname:
type: string
imagePullSecrets:
items:
properties:
name:
type: string
type: object
type: array
logger:
properties:
mode:
enum:
- all
- request
- response
type: string
url:
type: string
type: object
maxReplicas:
type: integer
minReplicas:
type: integer
nodeName:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
overhead:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
preemptionPolicy:
type: string
priority:
format: int32
type: integer
priorityClassName:
type: string
readinessGates:
items:
properties:
conditionType:
type: string
required:
- conditionType
type: object
type: array
restartPolicy:
type: string
runtimeClassName:
type: string
schedulerName:
type: string
securityContext:
properties:
fsGroup:
format: int64
type: integer
fsGroupChangePolicy:
type: string
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
supplementalGroups:
items:
format: int64
type: integer
type: array
sysctls:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
runAsUserName:
type: string
type: object
type: object
serviceAccount:
type: string
serviceAccountName:
type: string
setHostnameAsFQDN:
type: boolean
shareProcessNamespace:
type: boolean
subdomain:
type: string
terminationGracePeriodSeconds:
format: int64
type: integer
timeout:
format: int64
type: integer
tolerations:
items:
properties:
effect:
type: string
key:
type: string
operator:
type: string
tolerationSeconds:
format: int64
type: integer
value:
type: string
type: object
type: array
topologySpreadConstraints:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
maxSkew:
format: int32
type: integer
topologyKey:
type: string
whenUnsatisfiable:
type: string
required:
- maxSkew
- topologyKey
- whenUnsatisfiable
type: object
type: array
x-kubernetes-list-map-keys:
- topologyKey
- whenUnsatisfiable
x-kubernetes-list-type: map
volumes:
items:
properties:
awsElasticBlockStore:
properties:
fsType:
type: string
partition:
format: int32
type: integer
readOnly:
type: boolean
volumeID:
type: string
required:
- volumeID
type: object
azureDisk:
properties:
cachingMode:
type: string
diskName:
type: string
diskURI:
type: string
fsType:
type: string
kind:
type: string
readOnly:
type: boolean
required:
- diskName
- diskURI
type: object
azureFile:
properties:
readOnly:
type: boolean
secretName:
type: string
shareName:
type: string
required:
- secretName
- shareName
type: object
cephfs:
properties:
monitors:
items:
type: string
type: array
path:
type: string
readOnly:
type: boolean
secretFile:
type: string
secretRef:
properties:
name:
type: string
type: object
user:
type: string
required:
- monitors
type: object
cinder:
properties:
fsType:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeID:
type: string
required:
- volumeID
type: object
configMap:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
csi:
properties:
driver:
type: string
fsType:
type: string
nodePublishSecretRef:
properties:
name:
type: string
type: object
readOnly:
type: boolean
volumeAttributes:
additionalProperties:
type: string
type: object
required:
- driver
type: object
downwardAPI:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
mode:
format: int32
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
emptyDir:
properties:
medium:
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
properties:
readOnly:
type: boolean
volumeClaimTemplate:
properties:
metadata:
type: object
spec:
properties:
accessModes:
items:
type: string
type: array
dataSource:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
required:
- kind
- name
type: object
resources:
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
storageClassName:
type: string
volumeMode:
type: string
volumeName:
type: string
type: object
required:
- spec
type: object
type: object
fc:
properties:
fsType:
type: string
lun:
format: int32
type: integer
readOnly:
type: boolean
targetWWNs:
items:
type: string
type: array
wwids:
items:
type: string
type: array
type: object
flexVolume:
properties:
driver:
type: string
fsType:
type: string
options:
additionalProperties:
type: string
type: object
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
required:
- driver
type: object
flocker:
properties:
datasetName:
type: string
datasetUUID:
type: string
type: object
gcePersistentDisk:
properties:
fsType:
type: string
partition:
format: int32
type: integer
pdName:
type: string
readOnly:
type: boolean
required:
- pdName
type: object
gitRepo:
properties:
directory:
type: string
repository:
type: string
revision:
type: string
required:
- repository
type: object
glusterfs:
properties:
endpoints:
type: string
path:
type: string
readOnly:
type: boolean
required:
- endpoints
- path
type: object
hostPath:
properties:
path:
type: string
type:
type: string
required:
- path
type: object
iscsi:
properties:
chapAuthDiscovery:
type: boolean
chapAuthSession:
type: boolean
fsType:
type: string
initiatorName:
type: string
iqn:
type: string
iscsiInterface:
type: string
lun:
format: int32
type: integer
portals:
items:
type: string
type: array
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
targetPortal:
type: string
required:
- iqn
- lun
- targetPortal
type: object
name:
type: string
nfs:
properties:
path:
type: string
readOnly:
type: boolean
server:
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
properties:
claimName:
type: string
readOnly:
type: boolean
required:
- claimName
type: object
photonPersistentDisk:
properties:
fsType:
type: string
pdID:
type: string
required:
- pdID
type: object
portworxVolume:
properties:
fsType:
type: string
readOnly:
type: boolean
volumeID:
type: string
required:
- volumeID
type: object
projected:
properties:
defaultMode:
format: int32
type: integer
sources:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
required:
- fieldPath
type: object
mode:
format: int32
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
name:
type: string
optional:
type: boolean
type: object
serviceAccountToken:
properties:
audience:
type: string
expirationSeconds:
format: int64
type: integer
path:
type: string
required:
- path
type: object
type: object
type: array
required:
- sources
type: object
quobyte:
properties:
group:
type: string
readOnly:
type: boolean
registry:
type: string
tenant:
type: string
user:
type: string
volume:
type: string
required:
- registry
- volume
type: object
rbd:
properties:
fsType:
type: string
image:
type: string
keyring:
type: string
monitors:
items:
type: string
type: array
pool:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
user:
type: string
required:
- image
- monitors
type: object
scaleIO:
properties:
fsType:
type: string
gateway:
type: string
protectionDomain:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
sslEnabled:
type: boolean
storageMode:
type: string
storagePool:
type: string
system:
type: string
volumeName:
type: string
required:
- gateway
- secretRef
- system
type: object
secret:
properties:
defaultMode:
format: int32
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
type: integer
path:
type: string
required:
- key
- path
type: object
type: array
optional:
type: boolean
secretName:
type: string
type: object
storageos:
properties:
fsType:
type: string
readOnly:
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeName:
type: string
volumeNamespace:
type: string
type: object
vsphereVolume:
properties:
fsType:
type: string
storagePolicyID:
type: string
storagePolicyName:
type: string
volumePath:
type: string
required:
- volumePath
type: object
required:
- name
type: object
type: array
type: object
required:
- predictor
type: object
status:
properties:
address:
properties:
url:
type: string
type: object
annotations:
additionalProperties:
type: string
type: object
components:
additionalProperties:
properties:
address:
properties:
url:
type: string
type: object
latestCreatedRevision:
type: string
latestReadyRevision:
type: string
latestRolledoutRevision:
type: string
previousRolledoutRevision:
type: string
traffic:
items:
properties:
configurationName:
type: string
latestRevision:
type: boolean
percent:
format: int64
type: integer
revisionName:
type: string
tag:
type: string
url:
type: string
type: object
type: array
url:
type: string
type: object
type: object
conditions:
items:
properties:
lastTransitionTime:
type: string
message:
type: string
reason:
type: string
severity:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
format: int64
type: integer
url:
type: string
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.1-0.20200528125929-5c0c6ae3b64b
creationTimestamp: null
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: trainedmodels.serving.kubeflow.org
spec:
additionalPrinterColumns:
- JSONPath: .status.url
name: URL
type: string
- JSONPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: serving.kubeflow.org
names:
kind: TrainedModel
listKind: TrainedModelList
plural: trainedmodels
shortNames:
- tm
singular: trainedmodel
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
inferenceService:
type: string
model:
properties:
framework:
type: string
memory:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
storageUri:
type: string
required:
- framework
- memory
- storageUri
type: object
required:
- inferenceService
- model
type: object
status:
properties:
address:
properties:
url:
type: string
type: object
annotations:
additionalProperties:
type: string
type: object
conditions:
items:
properties:
lastTransitionTime:
type: string
message:
type: string
reason:
type: string
severity:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
format: int64
type: integer
url:
type: string
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: leader-election-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-manager-role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- virtualservices
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- virtualservices/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- virtualservices/status
verbs:
- get
- patch
- update
- apiGroups:
- serving.knative.dev
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- serving.knative.dev
resources:
- services/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- serving.knative.dev
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- serving.kubeflow.org
resources:
- inferenceservices
- inferenceservices/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- serving.kubeflow.org
resources:
- inferenceservices/status
verbs:
- get
- patch
- update
- apiGroups:
- serving.kubeflow.org
resources:
- trainedmodels
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- serving.kubeflow.org
resources:
- trainedmodels/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-kfserving-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: "true"
name: kubeflow-kfserving-edit
rules:
- apiGroups:
- serving.kubeflow.org
resources:
- inferenceservices
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-kfserving-view
rules:
- apiGroups:
- serving.kubeflow.org
resources:
- inferenceservices
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: leader-election-rolebinding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kfserving-manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kfserving-proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: kubeflow
---
apiVersion: v1
data:
agent: |-
{
"image" : "kfserving/agent:v0.5.1",
"memoryRequest": "100Mi",
"memoryLimit": "1Gi",
"cpuRequest": "100m",
"cpuLimit": "1"
}
batcher: |-
{
"image" : "kfserving/agent:v0.5.1",
"memoryRequest": "1Gi",
"memoryLimit": "1Gi",
"cpuRequest": "1",
"cpuLimit": "1"
}
credentials: |-
{
"gcs": {
"gcsCredentialFileName": "gcloud-application-credentials.json"
},
"s3": {
"s3AccessKeyIDName": "AWS_ACCESS_KEY_ID",
"s3SecretAccessKeyName": "AWS_SECRET_ACCESS_KEY"
}
}
explainers: |-
{
"alibi": {
"image" : "kfserving/alibi-explainer",
"defaultImageVersion": "v0.5.1"
},
"aix": {
"image" : "kfserving/aix-explainer",
"defaultImageVersion": "v0.5.1"
},
"art": {
"image" : "kfserving/art-explainer",
"defaultImageVersion": "v0.5.1"
}
}
ingress: |-
{
"ingressGateway" : "kubeflow-gateway.kubeflow",
"ingressService" : "istio-ingressgateway.istio-system.svc.cluster.local",
"localGateway" : "cluster-local-gateway.knative-serving",
"localGatewayService" : "cluster-local-gateway.istio-system.svc.cluster.local"
}
logger: |-
{
"image" : "kfserving/agent:v0.5.1",
"memoryRequest": "100Mi",
"memoryLimit": "1Gi",
"cpuRequest": "100m",
"cpuLimit": "1",
"defaultUrl": "http://default-broker"
}
predictors: |-
{
"tensorflow": {
"image": "tensorflow/serving",
"defaultImageVersion": "1.14.0",
"defaultGpuImageVersion": "1.14.0-gpu",
"defaultTimeout": "60",
"supportedFrameworks": [
"tensorflow"
],
"multiModelServer": false
},
"onnx": {
"image": "mcr.microsoft.com/onnxruntime/server",
"defaultImageVersion": "v1.0.0",
"supportedFrameworks": [
"onnx"
],
"multiModelServer": false
},
"sklearn": {
"v1": {
"image": "gcr.io/kfserving/sklearnserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"sklearn"
],
"multiModelServer": false
},
"v2": {
"image": "docker.io/seldonio/mlserver",
"defaultImageVersion": "0.2.1",
"supportedFrameworks": [
"sklearn"
],
"multiModelServer": false
}
},
"xgboost": {
"v1": {
"image": "gcr.io/kfserving/xgbserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"xgboost"
],
"multiModelServer": false
},
"v2": {
"image": "docker.io/seldonio/mlserver",
"defaultImageVersion": "0.2.1",
"supportedFrameworks": [
"xgboost"
],
"multiModelServer": false
}
},
"pytorch": {
"v1" : {
"image": "gcr.io/kfserving/pytorchserver",
"defaultImageVersion": "v0.5.1",
"defaultGpuImageVersion": "v0.5.1-gpu",
"supportedFrameworks": [
"pytorch"
],
"multiModelServer": false
},
"v2" : {
"image": "kfserving/torchserve-kfs",
"defaultImageVersion": "0.3.0",
"defaultGpuImageVersion": "0.3.0-gpu",
"supportedFrameworks": [
"pytorch"
],
"multiModelServer": false
}
},
"triton": {
"image": "nvcr.io/nvidia/tritonserver",
"defaultImageVersion": "20.08-py3",
"supportedFrameworks": [
"tensorrt",
"tensorflow",
"onnx",
"pytorch",
"caffe2"
],
"multiModelServer": false
},
"pmml": {
"image": "kfserving/pmmlserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"pmml"
],
"multiModelServer": false
},
"lightgbm": {
"image": "kfserving/lgbserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"lightgbm"
],
"multiModelServer": false
}
}
storageInitializer: |-
{
"image" : "gcr.io/kfserving/storage-initializer:v0.5.1",
"memoryRequest": "100Mi",
"memoryLimit": "1Gi",
"cpuRequest": "100m",
"cpuLimit": "1"
}
transformers: |-
{
}
kind: ConfigMap
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: inferenceservice-config
namespace: kubeflow
---
apiVersion: v1
data:
ingressGateway: '"kubeflow-gateway.kubeflow",'
kind: ConfigMap
metadata:
annotations: {}
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-config
namespace: kubeflow
---
apiVersion: v1
kind: Secret
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-webhook-server-secret
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/port: "8443"
prometheus.io/scheme: https
prometheus.io/scrape: "true"
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
name: kfserving-controller-manager-metrics-service
namespace: kubeflow
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
name: kfserving-controller-manager-service
namespace: kubeflow
spec:
ports:
- port: 443
selector:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: kfserving-webhook-server-service
namespace: kubeflow
spec:
ports:
- port: 443
targetPort: webhook-server
selector:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
kustomize.component: kfserving
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
name: kfserving-controller-manager
namespace: kubeflow
spec:
selector:
matchLabels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
serviceName: controller-manager-service
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
control-plane: kfserving-controller-manager
controller-tools.k8s.io: "1.0"
kustomize.component: kfserving
spec:
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=10
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubebuilder-kube-rbac-proxy:v0.4.0-83234
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
- args:
- --metrics-addr=127.0.0.1:8080
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SECRET_NAME
value: kfserving-webhook-server-cert
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kfserving-kfserving-controller:v0.5.1-8dc63
imagePullPolicy: Always
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: kfserving-webhook-server-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: serving-cert
namespace: kubeflow
spec:
commonName: kfserving-webhook-server-service.kubeflow.svc
dnsNames:
- kfserving-webhook-server-service.kubeflow.svc
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: kfserving-webhook-server-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: selfsigned-issuer
namespace: kubeflow
spec:
selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/serving-cert
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: inferenceservice.serving.kubeflow.org
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /mutate-serving-kubeflow-org-v1alpha2-inferenceservice
failurePolicy: Fail
name: inferenceservice.kfserving-webhook-server.defaulter
rules:
- apiGroups:
- serving.kubeflow.org
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- inferenceservices
- clientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /mutate-serving-kubeflow-org-v1beta1-inferenceservice
failurePolicy: Fail
name: inferenceservice.kfserving-webhook-server.v1beta1.defaulter
rules:
- apiGroups:
- serving.kubeflow.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- inferenceservices
- clientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /mutate-pods
failurePolicy: Fail
name: inferenceservice.kfserving-webhook-server.pod-mutator
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: serving.kubeflow.org/inferenceservice
operator: Exists
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/serving-cert
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: inferenceservice.serving.kubeflow.org
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /validate-serving-kubeflow-org-v1alpha2-inferenceservice
failurePolicy: Fail
name: inferenceservice.kfserving-webhook-server.validator
rules:
- apiGroups:
- serving.kubeflow.org
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- inferenceservices
- clientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /validate-serving-kubeflow-org-v1beta1-inferenceservice
failurePolicy: Fail
name: inferenceservice.kfserving-webhook-server.v1beta1.validator
rules:
- apiGroups:
- serving.kubeflow.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- inferenceservices
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/serving-cert
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: trainedmodel.serving.kubeflow.org
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: kfserving-webhook-server-service
namespace: kubeflow
path: /validate-serving-kubeflow-org-v1alpha1-trainedmodel
failurePolicy: Fail
name: trainedmodel.kfserving-webhook-server.validator
rules:
- apiGroups:
- serving.kubeflow.org
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- trainedmodels
================================================
FILE: manifest1.3/019-katib-installs-katib-with-kubeflow-cert-manager.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: experiments.kubeflow.org
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[-1:].type
name: Type
type: string
- JSONPath: .status.conditions[-1:].status
name: Status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kubeflow.org
names:
categories:
- all
- kubeflow
- katib
kind: Experiment
plural: experiments
singular: experiment
scope: Namespaced
subresources:
status: {}
version: v1beta1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: suggestions.kubeflow.org
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[-1:].type
name: Type
type: string
- JSONPath: .status.conditions[-1:].status
name: Status
type: string
- JSONPath: .spec.requests
name: Requested
type: string
- JSONPath: .status.suggestionCount
name: Assigned
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kubeflow.org
names:
categories:
- all
- kubeflow
- katib
kind: Suggestion
plural: suggestions
singular: suggestion
scope: Namespaced
subresources:
status: {}
version: v1beta1
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: trials.kubeflow.org
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[-1:].type
name: Type
type: string
- JSONPath: .status.conditions[-1:].status
name: Status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kubeflow.org
names:
categories:
- all
- kubeflow
- katib
kind: Trial
plural: trials
singular: trial
scope: Namespaced
subresources:
status: {}
version: v1beta1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: katib-controller
namespace: kubeflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: katib-ui
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: katib-controller
rules:
- apiGroups:
- ""
resources:
- configmaps
- serviceaccounts
- services
- events
- namespaces
- persistentvolumes
- persistentvolumeclaims
- pods
- pods/log
- pods/status
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- experiments
- experiments/status
- experiments/finalizers
- trials
- trials/status
- trials/finalizers
- suggestions
- suggestions/status
- suggestions/finalizers
- tfjobs
- pytorchjobs
- mpijobs
verbs:
- '*'
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- taskruns
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: katib-ui
rules:
- apiGroups:
- ""
resources:
- configmaps
- namespaces
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- experiments
- trials
- suggestions
verbs:
- '*'
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-katib-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true"
name: kubeflow-katib-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- experiments
- trials
- suggestions
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-katib-view
rules:
- apiGroups:
- kubeflow.org
resources:
- experiments
- trials
- suggestions
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: katib-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: katib-controller
subjects:
- kind: ServiceAccount
name: katib-controller
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: katib-ui
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: katib-ui
subjects:
- kind: ServiceAccount
name: katib-ui
namespace: kubeflow
---
apiVersion: v1
data:
early-stopping: |-
{
"medianstop": {
"image": "docker.io/kubeflowkatib/earlystopping-medianstop:v0.11.0"
}
}
metrics-collector-sidecar: |-
{
"StdOut": {
"image": "docker.io/kubeflowkatib/file-metrics-collector:v0.11.0"
},
"File": {
"image": "docker.io/kubeflowkatib/file-metrics-collector:v0.11.0"
},
"TensorFlowEvent": {
"image": "docker.io/kubeflowkatib/tfevent-metrics-collector:v0.11.0",
"resources": {
"limits": {
"memory": "1Gi"
}
}
}
}
suggestion: |-
{
"random": {
"image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.11.0"
},
"tpe": {
"image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.11.0"
},
"grid": {
"image": "docker.io/kubeflowkatib/suggestion-chocolate:v0.11.0"
},
"hyperband": {
"image": "docker.io/kubeflowkatib/suggestion-hyperband:v0.11.0"
},
"bayesianoptimization": {
"image": "docker.io/kubeflowkatib/suggestion-skopt:v0.11.0"
},
"cmaes": {
"image": "docker.io/kubeflowkatib/suggestion-goptuna:v0.11.0"
},
"enas": {
"image": "docker.io/kubeflowkatib/suggestion-enas:v0.11.0",
"resources": {
"limits": {
"memory": "200Mi"
}
}
},
"darts": {
"image": "docker.io/kubeflowkatib/suggestion-darts:v0.11.0"
}
}
kind: ConfigMap
metadata:
name: katib-config
namespace: kubeflow
---
apiVersion: v1
data:
defaultTrialTemplate.yaml: |-
apiVersion: batch/v1
kind: Job
spec:
template:
spec:
containers:
- name: training-container
image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727
command:
- "python3"
- "/opt/mxnet-mnist/mnist.py"
- "--batch-size=64"
- "--lr=${trialParameters.learningRate}"
- "--num-layers=${trialParameters.numberLayers}"
- "--optimizer=${trialParameters.optimizer}"
restartPolicy: Never
enasCPUTemplate: |-
apiVersion: batch/v1
kind: Job
spec:
template:
spec:
containers:
- name: training-container
image: docker.io/kubeflowkatib/enas-cnn-cifar10-cpu:v1beta1-45c5727
command:
- python3
- -u
- RunTrial.py
- --num_epochs=1
- "--architecture=\"${trialParameters.neuralNetworkArchitecture}\""
- "--nn_config=\"${trialParameters.neuralNetworkConfig}\""
restartPolicy: Never
pytorchJobTemplate: |-
apiVersion: "kubeflow.org/v1"
kind: PyTorchJob
spec:
pytorchReplicaSpecs:
Master:
replicas: 1
restartPolicy: OnFailure
template:
spec:
containers:
- name: pytorch
image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727
imagePullPolicy: Always
command:
- "python3"
- "/opt/pytorch-mnist/mnist.py"
- "--epochs=1"
- "--lr=${trialParameters.learningRate}"
- "--momentum=${trialParameters.momentum}"
Worker:
replicas: 2
restartPolicy: OnFailure
template:
spec:
containers:
- name: pytorch
image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727
imagePullPolicy: Always
command:
- "python3"
- "/opt/pytorch-mnist/mnist.py"
- "--epochs=1"
- "--lr=${trialParameters.learningRate}"
- "--momentum=${trialParameters.momentum}"
kind: ConfigMap
metadata:
labels:
app: katib-trial-templates
name: trial-template
namespace: kubeflow
---
apiVersion: v1
data:
MYSQL_ROOT_PASSWORD: dGVzdA==
kind: Secret
metadata:
name: katib-mysql-secrets
namespace: kubeflow
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scheme: http
prometheus.io/scrape: "true"
name: katib-controller
namespace: kubeflow
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: 8443
- name: metrics
port: 8080
targetPort: 8080
selector:
app: katib-controller
---
apiVersion: v1
kind: Service
metadata:
labels:
app: katib-db-manager
name: katib-db-manager
namespace: kubeflow
spec:
ports:
- name: api
port: 6789
protocol: TCP
selector:
app: katib-db-manager
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: katib-mysql
name: katib-mysql
namespace: kubeflow
spec:
ports:
- name: dbapi
port: 3306
protocol: TCP
selector:
app: katib-mysql
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: katib-ui
name: katib-ui
namespace: kubeflow
spec:
ports:
- name: ui
port: 80
protocol: TCP
targetPort: 8080
selector:
app: katib-ui
type: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: katib-mysql
namespace: kubeflow
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: katib-controller
name: katib-controller
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: katib-controller
template:
metadata:
annotations:
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: katib-controller
spec:
containers:
- args:
- --webhook-port=8443
- --trial-resources=Job.v1.batch
- --trial-resources=TFJob.v1.kubeflow.org
- --trial-resources=PyTorchJob.v1.kubeflow.org
- --trial-resources=MPIJob.v1.kubeflow.org
- --trial-resources=PipelineRun.v1beta1.tekton.dev
command:
- ./katib-controller
env:
- name: KATIB_CORE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflowkatib-katib-controller:v0.11.0-8ba36
name: katib-controller
ports:
- containerPort: 8443
name: webhook
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
resources:
limits:
cpu: "1"
memory: 500Mi
requests:
cpu: 500m
memory: 500Mi
volumeMounts:
- mountPath: /tmp/cert
name: cert
readOnly: true
serviceAccountName: katib-controller
volumes:
- name: cert
secret:
defaultMode: 420
secretName: katib-webhook-cert
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: katib-db-manager
name: katib-db-manager
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: katib-db-manager
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: katib-db-manager
spec:
containers:
- command:
- ./katib-db-manager
env:
- name: DB_NAME
value: mysql
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: MYSQL_ROOT_PASSWORD
name: katib-mysql-secrets
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflowkatib-katib-db-manager:v0.11.0-f54bf
livenessProbe:
exec:
command:
- /bin/grpc_health_probe
- -addr=:6789
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 60
name: katib-db-manager
ports:
- containerPort: 6789
name: api
readinessProbe:
exec:
command:
- /bin/grpc_health_probe
- -addr=:6789
initialDelaySeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: katib-mysql
name: katib-mysql
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: katib-mysql
strategy:
type: Recreate
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: katib-mysql
spec:
containers:
- args:
- --datadir
- /var/lib/mysql/datadir
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: MYSQL_ROOT_PASSWORD
name: katib-mysql-secrets
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "true"
- name: MYSQL_DATABASE
value: katib
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/mysql:8-0627e
livenessProbe:
exec:
command:
- /bin/bash
- -c
- mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
name: katib-mysql
ports:
- containerPort: 3306
name: dbapi
readinessProbe:
exec:
command:
- /bin/bash
- -c
- mysql -D ${MYSQL_DATABASE} -u root -p${MYSQL_ROOT_PASSWORD} -e 'SELECT 1'
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
volumeMounts:
- mountPath: /var/lib/mysql
name: katib-mysql
volumes:
- name: katib-mysql
persistentVolumeClaim:
claimName: katib-mysql
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: katib-ui
name: katib-ui
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: katib-ui
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: katib-ui
spec:
containers:
- args:
- --port=8080
command:
- ./katib-ui
env:
- name: KATIB_CORE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflowkatib-katib-ui:v0.11.0-aaf82
name: katib-ui
ports:
- containerPort: 8080
name: ui
serviceAccountName: katib-ui
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: katib-webhook-cert
namespace: kubeflow
spec:
commonName: katib-controller.kubeflow.svc
dnsNames:
- katib-controller.kubeflow.svc
- katib-controller.kubeflow.svc.cluster.local
isCA: true
issuerRef:
kind: Issuer
name: katib-selfsigned-issuer
secretName: katib-webhook-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: katib-selfsigned-issuer
namespace: kubeflow
spec:
selfSigned: {}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: katib-ui
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /katib/
rewrite:
uri: /katib/
route:
- destination:
host: katib-ui.kubeflow.svc.cluster.local
port:
number: 80
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/katib-webhook-cert
name: katib.kubeflow.org
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: Cg==
service:
name: katib-controller
namespace: kubeflow
path: /mutate-experiment
failurePolicy: Ignore
name: defaulter.experiment.katib.kubeflow.org
rules:
- apiGroups:
- kubeflow.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- experiments
sideEffects: None
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: Cg==
service:
name: katib-controller
namespace: kubeflow
path: /mutate-pod
failurePolicy: Ignore
name: mutator.pod.katib.kubeflow.org
namespaceSelector:
matchLabels:
katib-metricscollector-injection: enabled
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/katib-webhook-cert
name: katib.kubeflow.org
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: Cg==
service:
name: katib-controller
namespace: kubeflow
path: /validate-experiment
failurePolicy: Ignore
name: validator.experiment.katib.kubeflow.org
rules:
- apiGroups:
- kubeflow.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- experiments
sideEffects: None
================================================
FILE: manifest1.3/020-centraldashboard-overlays-istio.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
namespace: kubeflow
rules:
- apiGroups:
- ""
- app.k8s.io
resources:
- applications
- pods
- pods/exec
- pods/log
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: centraldashboard
subjects:
- kind: ServiceAccount
name: centraldashboard
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: centraldashboard
subjects:
- kind: ServiceAccount
name: centraldashboard
namespace: kubeflow
---
apiVersion: v1
data:
links: |-
{
"menuLinks": [
{
"type": "item",
"link": "/jupyter/",
"text": "Notebooks",
"icon": "book"
},
{
"type": "item",
"link": "/tensorboards/",
"text": "Tensorboards",
"icon": "assessment"
},
{
"type": "item",
"link": "/volumes/",
"text": "Volumes",
"icon": "device:storage"
},
{
"type": "item",
"link": "/katib/",
"text": "Experiments (AutoML)",
"icon": "kubeflow:katib"
},
{
"type": "item",
"text": "Experiments (KFP)",
"link": "/pipeline/#/experiments",
"icon": "done-all"
},
{
"type": "item",
"link": "/pipeline/#/pipelines",
"text": "Pipelines",
"icon": "kubeflow:pipeline-centered"
},
{
"type": "item",
"link": "/pipeline/#/runs",
"text": "Runs",
"icon": "maps:directions-run"
},
{
"type": "item",
"link": "/pipeline/#/recurringruns",
"text": "Recurring Runs",
"icon": "device:access-alarm"
},
{
"type": "item",
"link": "/pipeline/#/artifacts",
"text": "Artifacts",
"icon": "editor:bubble-chart"
},
{
"type": "item",
"link": "/pipeline/#/executions",
"text": "Executions",
"icon": "av:play-arrow"
}
],
"externalLinks": [ ],
"quickLinks": [
{
"text": "Upload a pipeline",
"desc": "Pipelines",
"link": "/pipeline/"
},
{
"text": "View all pipeline runs",
"desc": "Pipelines",
"link": "/pipeline/#/runs"
},
{
"text": "Create a new Notebook server",
"desc": "Notebook Servers",
"link": "/jupyter/new?namespace=kubeflow"
},
{
"text": "View Katib Experiments",
"desc": "Katib",
"link": "/katib/"
}
],
"documentationItems": [
{
"text": "Getting Started with Kubeflow",
"desc": "Get your machine-learning workflow up and running on Kubeflow",
"link": "https://www.kubeflow.org/docs/started/getting-started/"
},
{
"text": "MiniKF",
"desc": "A fast and easy way to deploy Kubeflow locally",
"link": "https://www.kubeflow.org/docs/started/getting-started-minikf/"
},
{
"text": "Microk8s for Kubeflow",
"desc": "Quickly get Kubeflow running locally on native hypervisors",
"link": "https://www.kubeflow.org/docs/started/getting-started-multipass/"
},
{
"text": "Minikube for Kubeflow",
"desc": "Quickly get Kubeflow running locally",
"link": "https://www.kubeflow.org/docs/started/getting-started-minikube/"
},
{
"text": "Kubeflow on GCP",
"desc": "Running Kubeflow on Kubernetes Engine and Google Cloud Platform",
"link": "https://www.kubeflow.org/docs/gke/"
},
{
"text": "Kubeflow on AWS",
"desc": "Running Kubeflow on Elastic Container Service and Amazon Web Services",
"link": "https://www.kubeflow.org/docs/aws/"
},
{
"text": "Requirements for Kubeflow",
"desc": "Get more detailed information about using Kubeflow and its components",
"link": "https://www.kubeflow.org/docs/started/requirements/"
}
]
}
settings: |-
{
"DASHBOARD_FORCE_IFRAME": true
}
kind: ConfigMap
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard-config
namespace: kubeflow
---
apiVersion: v1
data:
CD_CLUSTER_DOMAIN: cluster.local
CD_REGISTRATION_FLOW: "false"
CD_USERID_HEADER: kubeflow-userid
CD_USERID_PREFIX: ""
kind: ConfigMap
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard-parameters
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
namespace: kubeflow
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8082
selector:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
sessionAffinity: None
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
spec:
containers:
- env:
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
- name: PROFILES_KFAM_SERVICE_HOST
value: profiles-kfam.kubeflow
- name: REGISTRATION_FLOW
value: "false"
- name: DASHBOARD_LINKS_CONFIGMAP
value: centraldashboard-config
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-central-dashboard:v1.3.0-rc.0-a0ffd
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: 8082
initialDelaySeconds: 30
periodSeconds: 30
name: centraldashboard
ports:
- containerPort: 8082
protocol: TCP
serviceAccountName: centraldashboard
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app: centraldashboard
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/name: centraldashboard
kustomize.component: centraldashboard
name: centraldashboard
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /
rewrite:
uri: /
route:
- destination:
host: centraldashboard.kubeflow.svc.cluster.local
port:
number: 80
================================================
FILE: manifest1.3/021-admission-webhook-overlays-cert-manager.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: poddefaults.kubeflow.org
spec:
group: kubeflow.org
names:
kind: PodDefault
plural: poddefaults
singular: poddefault
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
desc:
type: string
env:
items:
type: object
type: array
envFrom:
items:
type: object
type: array
selector:
type: object
serviceAccountName:
type: string
volumeMounts:
items:
type: object
type: array
volumes:
items:
type: object
type: array
required:
- selector
type: object
status:
type: object
type: object
version: v1alpha1
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-cluster-role
rules:
- apiGroups:
- kubeflow.org
resources:
- poddefaults
verbs:
- get
- watch
- list
- update
- create
- patch
- delete
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: admission-webhook-kubeflow-poddefaults-admin
rules: []
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: admission-webhook-kubeflow-poddefaults-edit
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: admission-webhook-kubeflow-poddefaults-view
rules:
- apiGroups:
- kubeflow.org
resources:
- poddefaults
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admission-webhook-cluster-role
subjects:
- kind: ServiceAccount
name: admission-webhook-service-account
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-service
namespace: kubeflow
spec:
ports:
- name: https-webhook
port: 443
targetPort: https-webhook
selector:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-deployment
namespace: kubeflow
spec:
selector:
matchLabels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
spec:
containers:
- args:
- --tlsCertFile=/etc/webhook/certs/tls.crt
- --tlsKeyFile=/etc/webhook/certs/tls.key
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-admission-webhook:v1.3.0-rc.0-cc332
name: admission-webhook
ports:
- containerPort: 4443
name: https-webhook
volumeMounts:
- mountPath: /etc/webhook/certs
name: webhook-cert
readOnly: true
serviceAccountName: admission-webhook-service-account
volumes:
- name: webhook-cert
secret:
secretName: webhook-certs
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-cert
namespace: kubeflow
spec:
commonName: admission-webhook-service.kubeflow.svc
dnsNames:
- admission-webhook-service.kubeflow.svc
- admission-webhook-service.kubeflow.svc.cluster.local
isCA: true
issuerRef:
kind: Issuer
name: admission-webhook-selfsigned-issuer
secretName: webhook-certs
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-selfsigned-issuer
namespace: kubeflow
spec:
selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/admission-webhook-cert
labels:
app: poddefaults
app.kubernetes.io/component: poddefaults
app.kubernetes.io/name: poddefaults
kustomize.component: poddefaults
name: admission-webhook-mutating-webhook-configuration
webhooks:
- clientConfig:
caBundle: ""
service:
name: admission-webhook-service
namespace: kubeflow
path: /apply-poddefault
name: admission-webhook-deployment.kubeflow.org
namespaceSelector:
matchLabels:
app.kubernetes.io/part-of: kubeflow-profile
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
================================================
FILE: manifest1.3/022-jupyter-overlays-istio.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-jupyter-notebook-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- secrets
- services
verbs:
- '*'
- apiGroups:
- ""
- apps
- extensions
resources:
- deployments
- replicasets
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- '*'
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-cluster-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- create
- delete
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- kubeflow.org
resources:
- notebooks
- notebooks/finalizers
- poddefaults
verbs:
- get
- list
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- apiGroups:
- ""
resources:
- events
- nodes
verbs:
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: jupyter-web-app-kubeflow-notebook-ui-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: jupyter-web-app-kubeflow-notebook-ui-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- notebooks
- notebooks/finalizers
- poddefaults
verbs:
- get
- list
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: jupyter-web-app-kubeflow-notebook-ui-view
rules:
- apiGroups:
- kubeflow.org
resources:
- notebooks
- notebooks/finalizers
- poddefaults
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-jupyter-notebook-role-binding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jupyter-web-app-jupyter-notebook-role
subjects:
- kind: ServiceAccount
name: jupyter-notebook
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jupyter-web-app-cluster-role
subjects:
- kind: ServiceAccount
name: jupyter-web-app-service-account
namespace: kubeflow
---
apiVersion: v1
data:
spawner_ui_config.yaml: |
# Configuration file for the Jupyter UI.
#
# Each Jupyter UI option is configured by two keys: 'value' and 'readOnly'
# - The 'value' key contains the default value
# - The 'readOnly' key determines if the option will be available to users
#
# If the 'readOnly' key is present and set to 'true', the respective option
# will be disabled for users and only set by the admin. Also when a
# Notebook is POSTED to the API if a necessary field is not present then
# the value from the config will be used.
#
# If the 'readOnly' key is missing (defaults to 'false'), the respective option
# will be available for users to edit.
#
# Note that some values can be templated. Such values are the names of the
# Volumes as well as their StorageClass
spawnerFormDefaults:
image:
# The container Image for the user's Jupyter Notebook
value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:v1.3.0-rc.0
# The list of available standard container Images
options:
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:v1.3.0-rc.0
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-full:v1.3.0-rc.0
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-cuda-full:v1.3.0-rc.0
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-full:v1.3.0-rc.0
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-cuda-full:v1.3.0-rc.0
imageVSCode:
# The container Image for the user's VS-Code Server
value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python:v1.3.0-rc.0
# The list of available standard container Images
options:
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python:v1.3.0-rc.0
imageRStudio:
# The container Image for the user's RStudio Server
value: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse:v1.3.0-rc.0
# The list of available standard container Images
options:
- public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse:v1.3.0-rc.0
allowCustomImage: true
imagePullPolicy:
value: IfNotPresent
readOnly: false
cpu:
# CPU for user's Notebook
value: '0.5'
readOnly: false
memory:
# Memory for user's Notebook
value: 1.0Gi
readOnly: false
workspaceVolume:
# Workspace Volume to be attached to user's Notebook
# Each Workspace Volume is declared with the following attributes:
# Type, Name, Size, MountPath and Access Mode
value:
type:
# The Type of the Workspace Volume
# Supported values: 'New', 'Existing'
value: New
name:
# The Name of the Workspace Volume
# Note that this is a templated value. Special values:
# {notebook-name}: Replaced with the name of the Notebook. The frontend
# will replace this value as the user types the name
value: 'workspace-{notebook-name}'
size:
# The Size of the Workspace Volume (in Gi)
value: '10Gi'
mountPath:
# The Path that the Workspace Volume will be mounted
value: /home/jovyan
accessModes:
# The Access Mode of the Workspace Volume
# Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany'
value: ReadWriteOnce
class:
# The StrageClass the PVC will use if type is New. Special values are:
# {none}: default StorageClass
# {empty}: empty string ""
value: '{none}'
readOnly: false
dataVolumes:
# List of additional Data Volumes to be attached to the user's Notebook
value: []
# Each Data Volume is declared with the following attributes:
# Type, Name, Size, MountPath and Access Mode
#
# For example, a list with 2 Data Volumes:
# value:
# - value:
# type:
# value: New
# name:
# value: '{notebook-name}-vol-1'
# size:
# value: '10Gi'
# class:
# value: standard
# mountPath:
# value: /home/jovyan/vol-1
# accessModes:
# value: ReadWriteOnce
# class:
# value: {none}
# - value:
# type:
# value: New
# name:
# value: '{notebook-name}-vol-2'
# size:
# value: '10Gi'
# mountPath:
# value: /home/jovyan/vol-2
# accessModes:
# value: ReadWriteMany
# class:
# value: {none}
readOnly: false
gpus:
# Number of GPUs to be assigned to the Notebook Container
value:
# values: "none", "1", "2", "4", "8"
num: "none"
# Determines what the UI will show and send to the backend
vendors:
- limitsKey: "nvidia.com/gpu"
uiName: "NVIDIA"
- limitsKey: "amd.com/gpu"
uiName: "AMD"
# Values: "" or a `limits-key` from the vendors list
vendor: ""
readOnly: false
shm:
value: true
readOnly: false
configurations:
# List of labels to be selected, these are the labels from PodDefaults
# value:
# - add-gcp-secret
# - default-editor
value: []
readOnly: false
affinityConfig:
# The default `configKey` from the options list
# If readonly, the default value will be the only option
value: "none"
# The list of available affinity configs
options: []
# # (DESC) Pod gets an exclusive "n1-standard-2" Node
# # (TIP) set PreferNoSchedule taint on this node-pool
# # (TIP) enable cluster-autoscaler on this node-pool
# # (TIP) dont let users request more CPU/MEMORY than the size of this node
# - configKey: "exclusive__n1-standard-2"
# displayName: "Exclusive: n1-standard-2"
# affinity:
# # (Require) Node having label: `node_pool=notebook-n1-standard-2`
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: "node_pool"
# operator: "In"
# values:
# - "notebook-n1-standard-2"
# # (Require) Node WITHOUT existing Pod having label: `notebook-name`
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: "notebook-name"
# operator: "Exists"
# namespaces: []
# topologyKey: "kubernetes.io/hostname"
readOnly: false
tolerationGroup:
# The default `groupKey` from the options list
# If readonly, the default value will be the only option
value: "none"
# The list of available tolerationGroup configs
options: []
# - groupKey: "group_1"
# displayName: "Group 1: description"
# tolerations:
# - key: "key1"
# operator: "Equal"
# value: "value1"
# effect: "NoSchedule"
# - key: "key2"
# operator: "Equal"
# value: "value2"
# effect: "NoSchedule"
readOnly: false
kind: ConfigMap
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-config-tkhtgh5mcm
namespace: kubeflow
---
apiVersion: v1
data:
JWA_CLUSTER_DOMAIN: cluster.local
JWA_PREFIX: /jupyter
JWA_UI: default
JWA_USERID_HEADER: kubeflow-userid
JWA_USERID_PREFIX: ""
kind: ConfigMap
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-parameters-chmg88cm48
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
run: jupyter-web-app
name: jupyter-web-app-service
namespace: kubeflow
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 5000
selector:
app: jupyter-web-app
kustomize.component: jupyter-web-app
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
spec:
containers:
- env:
- name: APP_PREFIX
value: /jupyter
- name: UI
value: default
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-jupyter-web-app:v1.3.0-rc.0-70edb
name: jupyter-web-app
ports:
- containerPort: 5000
volumeMounts:
- mountPath: /etc/config
name: config-volume
serviceAccountName: jupyter-web-app-service-account
volumes:
- configMap:
name: jupyter-web-app-config-tkhtgh5mcm
name: config-volume
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-jupyter-web-app
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- headers:
request:
add:
x-forwarded-prefix: /jupyter
match:
- uri:
prefix: /jupyter/
rewrite:
uri: /
route:
- destination:
host: jupyter-web-app-service.kubeflow.svc.cluster.local
port:
number: 80
================================================
FILE: manifest1.3/023-jupyter-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebooks.kubeflow.org
spec:
group: kubeflow.org
names:
kind: Notebook
plural: notebooks
singular: notebook
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
template:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
properties:
spec:
type: object
type: object
type: object
status:
properties:
conditions:
description: Conditions is an array of current conditions
items:
properties:
type:
description: Type of the confition/
type: string
required:
- type
type: object
type: array
required:
- conditions
type: object
versions:
- name: v1alpha1
served: true
storage: false
- name: v1beta1
served: true
storage: false
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-leader-election-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: notebook-controller-kubeflow-notebooks-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true"
name: notebook-controller-kubeflow-notebooks-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- notebooks
- notebooks/status
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: notebook-controller-kubeflow-notebooks-view
rules:
- apiGroups:
- kubeflow.org
resources:
- notebooks
- notebooks/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-role
rules:
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- '*'
- apiGroups:
- kubeflow.org
resources:
- notebooks
- notebooks/finalizers
- notebooks/status
verbs:
- '*'
- apiGroups:
- networking.istio.io
resources:
- virtualservices
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-leader-election-rolebinding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: notebook-controller-leader-election-role
subjects:
- kind: ServiceAccount
name: notebook-controller-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: notebook-controller-role
subjects:
- kind: ServiceAccount
name: notebook-controller-service-account
namespace: kubeflow
---
apiVersion: v1
data:
ISTIO_GATEWAY: kubeflow/kubeflow-gateway
USE_ISTIO: "true"
kind: ConfigMap
metadata:
annotations: {}
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-config-m44cmb547t
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-service
namespace: kubeflow
spec:
ports:
- port: 443
selector:
app: notebook-controller
kustomize.component: notebook-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: notebook-controller
kustomize.component: notebook-controller
name: notebook-controller-deployment
namespace: kubeflow
spec:
selector:
matchLabels:
app: notebook-controller
kustomize.component: notebook-controller
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: notebook-controller
kustomize.component: notebook-controller
spec:
containers:
- command:
- /manager
env:
- name: USE_ISTIO
valueFrom:
configMapKeyRef:
key: USE_ISTIO
name: notebook-controller-config-m44cmb547t
- name: ISTIO_GATEWAY
valueFrom:
configMapKeyRef:
key: ISTIO_GATEWAY
name: notebook-controller-config-m44cmb547t
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-notebook-controller:v1.3.0-rc.0-4c9fa
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /metrics
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
name: manager
serviceAccountName: notebook-controller-service-account
================================================
FILE: manifest1.3/024-profiles-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
labels:
kustomize.component: profiles
name: profiles.kubeflow.org
spec:
conversion:
strategy: None
group: kubeflow.org
names:
kind: Profile
listKind: ProfileList
plural: profiles
singular: profile
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: Profile is the Schema for the profiles API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ProfileSpec defines the desired state of Profile
properties:
owner:
description: The profile owner
properties:
apiGroup:
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
plugins:
items:
description: Plugin is for customize actions on different platform.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
type: object
type: object
type: array
resourceQuotaSpec:
description: Resourcequota that will be applied to target namespace
properties:
hard:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
type: object
scopeSelector:
description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
properties:
matchExpressions:
description: A list of scope selector requirements by scope of the resources.
items:
description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.
properties:
operator:
description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.
type: string
scopeName:
description: The name of the scope that the selector applies to.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- operator
- scopeName
type: object
type: array
type: object
scopes:
description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
items:
description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota
type: string
type: array
type: object
type: object
status:
description: ProfileStatus defines the observed state of Profile
properties:
conditions:
items:
properties:
message:
type: string
status:
type: string
type:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: Profile is the Schema for the profiles API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ProfileSpec defines the desired state of Profile
properties:
owner:
description: The profile owner
properties:
apiGroup:
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
plugins:
items:
description: Plugin is for customize actions on different platform.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
type: object
type: object
type: array
resourceQuotaSpec:
description: Resourcequota that will be applied to target namespace
properties:
hard:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/'
type: object
scopeSelector:
description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
properties:
matchExpressions:
description: A list of scope selector requirements by scope of the resources.
items:
description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.
properties:
operator:
description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.
type: string
scopeName:
description: The name of the scope that the selector applies to.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- operator
- scopeName
type: object
type: array
type: object
scopes:
description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
items:
description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota
type: string
type: array
type: object
type: object
status:
description: ProfileStatus defines the observed state of Profile
properties:
conditions:
items:
properties:
message:
type: string
status:
type: string
type:
type: string
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
kustomize.component: profiles
name: profiles-controller-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
kustomize.component: profiles
name: profiles-leader-election-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
kustomize.component: profiles
name: profiles-leader-election-rolebinding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: profiles-leader-election-role
subjects:
- kind: ServiceAccount
name: profiles-controller-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
kustomize.component: profiles
name: profiles-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: profiles-controller-service-account
namespace: kubeflow
---
apiVersion: v1
data:
ADMIN: ""
USERID_HEADER: kubeflow-userid
USERID_PREFIX: ""
WORKLOAD_IDENTITY: ""
kind: ConfigMap
metadata:
labels:
kustomize.component: profiles
name: profiles-config-46c7tgh6fd
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
kustomize.component: profiles
name: profiles-kfam
namespace: kubeflow
spec:
ports:
- port: 8081
selector:
kustomize.component: profiles
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
kustomize.component: profiles
name: profiles-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
kustomize.component: profiles
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
kustomize.component: profiles
spec:
containers:
- command:
- /access-management
- -cluster-admin
- $(ADMIN)
- -userid-header
- $(USERID_HEADER)
- -userid-prefix
- $(USERID_PREFIX)
envFrom:
- configMapRef:
name: profiles-config-46c7tgh6fd
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-access-management:v1.3.0-rc.0-a869b
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /metrics
port: 8081
initialDelaySeconds: 30
periodSeconds: 30
name: kfam
ports:
- containerPort: 8081
name: kfam-http
protocol: TCP
- command:
- /manager
- -userid-header
- $(USERID_HEADER)
- -userid-prefix
- $(USERID_PREFIX)
- -workload-identity
- $(WORKLOAD_IDENTITY)
envFrom:
- configMapRef:
name: profiles-config-46c7tgh6fd
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-profile-controller:v1.3.0-rc.0-ce3b3
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /metrics
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
name: manager
ports:
- containerPort: 8080
name: manager-http
protocol: TCP
serviceAccountName: profiles-controller-service-account
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
kustomize.component: profiles
name: profiles-kfam
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- headers:
request:
add:
x-forwarded-prefix: /kfam
match:
- uri:
prefix: /kfam/
rewrite:
uri: /kfam/
route:
- destination:
host: profiles-kfam.kubeflow.svc.cluster.local
port:
number: 8081
================================================
FILE: manifest1.3/025-volumes-web-app-overlays-istio.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-cluster-role
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- get
- list
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: volumes-web-app-kubeflow-volume-ui-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: volumes-web-app-kubeflow-volume-ui-edit
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- watch
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: volumes-web-app-kubeflow-volume-ui-view
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: volumes-web-app-cluster-role
subjects:
- kind: ServiceAccount
name: volumes-web-app-service-account
namespace: kubeflow
---
apiVersion: v1
data:
VWA_CLUSTER_DOMAIN: cluster.local
VWA_PREFIX: /volumes
VWA_USERID_HEADER: kubeflow-userid
VWA_USERID_PREFIX: ""
kind: ConfigMap
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-parameters-4gg8cm2gmk
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
run: volumes-web-app
name: volumes-web-app-service
namespace: kubeflow
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 5000
selector:
app: volumes-web-app
kustomize.component: volumes-web-app
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: volumes-web-app
kustomize.component: volumes-web-app
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
spec:
containers:
- env:
- name: APP_PREFIX
value: /volumes
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-volumes-web-app:v1.3.0-rc.0-fe235
name: volumes-web-app
ports:
- containerPort: 5000
serviceAccountName: volumes-web-app-service-account
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-volumes-web-app
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- headers:
request:
add:
x-forwarded-prefix: /volumes
match:
- uri:
prefix: /volumes/
rewrite:
uri: /
route:
- destination:
host: volumes-web-app-service.kubeflow.svc.cluster.local
port:
number: 80
================================================
FILE: manifest1.3/026-tensorboard-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: tensorboards.tensorboard.kubeflow.org
spec:
group: tensorboard.kubeflow.org
names:
kind: Tensorboard
listKind: TensorboardList
plural: tensorboards
singular: tensorboard
scope: ""
subresources:
status: {}
validation:
openAPIV3Schema:
description: Tensorboard is the Schema for the tensorboards API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TensorboardSpec defines the desired state of Tensorboard
properties:
logspath:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
type: string
required:
- logspath
type: object
status:
description: TensorboardStatus defines the observed state of Tensorboard
properties:
conditions:
description: Conditions is an array of current conditions
items:
description: TensorboardCondition defines the observed state of Tensorboard
properties:
deploymentState:
description: Deployment status, 'Available', 'Progressing', 'ReplicaFailure' .
type: string
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
required:
- deploymentState
type: object
type: array
readyReplicas:
description: ReadyReplicas defines the number of Tensorboard Servers that are available to connect. The value of ReadyReplicas can be either 0 or 1
format: int32
type: integer
required:
- conditions
- readyReplicas
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tensorboard-controller
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tensorboard-controller-leader-election-role
namespace: kubeflow
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: tensorboard-controller-manager-role
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- virtualservices
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- tensorboard.kubeflow.org
resources:
- tensorboards
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- tensorboard.kubeflow.org
resources:
- tensorboards/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tensorboard-controller-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tensorboard-controller-leader-election-rolebinding
namespace: kubeflow
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tensorboard-controller-leader-election-role
subjects:
- kind: ServiceAccount
name: tensorboard-controller
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tensorboard-controller-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tensorboard-controller-manager-role
subjects:
- kind: ServiceAccount
name: tensorboard-controller
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tensorboard-controller-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tensorboard-controller-proxy-role
subjects:
- kind: ServiceAccount
name: tensorboard-controller
namespace: kubeflow
---
apiVersion: v1
data:
RWO_PVC_SCHEDULING: "True"
kind: ConfigMap
metadata:
name: tensorboard-controller-config-bf88mm96c8
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/port: "8443"
prometheus.io/scheme: https
prometheus.io/scrape: "true"
labels:
control-plane: controller-manager
name: tensorboard-controller-controller-manager-metrics-service
namespace: kubeflow
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: tensorboard-controller-controller-manager
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
command:
- /manager
envFrom:
- configMapRef:
name: tensorboard-controller-config-bf88mm96c8
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-tensorboard-controller:v1.3.0-rc.0-31ba9
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=10
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubebuilder-kube-rbac-proxy:v0.4.0-83234
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
serviceAccountName: tensorboard-controller
terminationGracePeriodSeconds: 10
================================================
FILE: manifest1.3/027-tensorboard-overlays-istio.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-cluster-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- tensorboard.kubeflow.org
resources:
- tensorboards
- tensorboards/finalizers
verbs:
- get
- list
- create
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: tensorboards-web-app-kubeflow-tensorboard-ui-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
name: tensorboards-web-app-kubeflow-tensorboard-ui-edit
rules:
- apiGroups:
- tensorboard.kubeflow.org
resources:
- tensorboards
- tensorboards/finalizers
verbs:
- get
- list
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: tensorboards-web-app-kubeflow-tensorboard-ui-view
rules:
- apiGroups:
- tensorboard.kubeflow.org
resources:
- tensorboards
- tensorboards/finalizers
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tensorboards-web-app-cluster-role
subjects:
- kind: ServiceAccount
name: tensorboards-web-app-service-account
namespace: kubeflow
---
apiVersion: v1
data:
TWA_CLUSTER_DOMAIN: cluster.local
TWA_PREFIX: /tensorboards
TWA_USERID_HEADER: kubeflow-userid
TWA_USERID_PREFIX: ""
kind: ConfigMap
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-parameters-g28fbd6cch
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
run: tensorboards-web-app
name: tensorboards-web-app-service
namespace: kubeflow
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 5000
selector:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
spec:
containers:
- env:
- name: APP_PREFIX
value: /tensorboards
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-tensorboards-web-app:v1.3.0-rc.0-258dd
name: tensorboards-web-app
ports:
- containerPort: 5000
serviceAccountName: tensorboards-web-app-service-account
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-tensorboards-web-app
namespace: kubeflow
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- headers:
request:
add:
x-forwarded-prefix: /tensorboards
match:
- uri:
prefix: /tensorboards/
rewrite:
uri: /
route:
- destination:
host: tensorboards-web-app-service.kubeflow.svc.cluster.local
port:
number: 80
================================================
FILE: manifest1.3/028-tf-training-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tfjobs.kubeflow.org
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[-1:].type
name: State
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kubeflow.org
names:
kind: TFJob
plural: tfjobs
singular: tfjob
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
tfReplicaSpecs:
properties:
Chief:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
Evaluator:
properties:
replicas:
minimum: 0
type: integer
PS:
properties:
replicas:
minimum: 1
type: integer
Worker:
properties:
replicas:
minimum: 1
type: integer
versions:
- name: v1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
namespace: kubeflow
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-tfjobs-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true"
name: kubeflow-tfjobs-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- tfjobs
- tfjobs/status
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-tfjobs-view
rules:
- apiGroups:
- kubeflow.org
resources:
- tfjobs
- tfjobs/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
rules:
- apiGroups:
- kubeflow.org
resources:
- tfjobs
- tfjobs/status
- tfjobs/finalizers
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- events
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tf-job-operator
subjects:
- kind: ServiceAccount
name: tf-job-operator
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8443"
prometheus.io/scrape: "true"
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
namespace: kubeflow
spec:
ports:
- name: monitoring-port
port: 8443
targetPort: 8443
selector:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: tf-job-operator
app.kubernetes.io/component: tfjob
app.kubernetes.io/name: tf-job-operator
kustomize.component: tf-job-operator
name: tf-job-operator
spec:
containers:
- args:
- -monitoring-port=8443
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/training-tf-operator:cd2fc1ff397b1f349f68524f4abd5013a32e3033-b54e1
name: tf-job-operator
serviceAccountName: tf-job-operator
================================================
FILE: manifest1.3/029-pytorch-job-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorchjobs.kubeflow.org
spec:
additionalPrinterColumns:
- JSONPath: .status.conditions[-1:].type
name: State
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kubeflow.org
names:
kind: PyTorchJob
plural: pytorchjobs
singular: pytorchjob
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
pytorchReplicaSpecs:
properties:
Master:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
Worker:
properties:
replicas:
minimum: 1
type: integer
versions:
- name: v1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
namespace: kubeflow
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-pytorchjobs-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true"
name: kubeflow-pytorchjobs-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- pytorchjobs
- pytorchjobs/status
- pytorchjobs/finalizers
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-pytorchjobs-view
rules:
- apiGroups:
- kubeflow.org
resources:
- pytorchjobs
- pytorchjobs/status
- pytorchjobs/finalizers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
rules:
- apiGroups:
- kubeflow.org
resources:
- pytorchjobs
- pytorchjobs/status
- pytorchjobs/finalizers
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- events
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pytorch-operator
subjects:
- kind: ServiceAccount
name: pytorch-operator
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8443"
prometheus.io/scrape: "true"
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
namespace: kubeflow
spec:
ports:
- name: monitoring-port
port: 8443
targetPort: 8443
selector:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
template:
metadata:
labels:
app: pytorch-operator
app.kubernetes.io/component: pytorch
app.kubernetes.io/name: pytorch-operator
kustomize.component: pytorch-operator
name: pytorch-operator
spec:
containers:
- command:
- /pytorch-operator.v1
- --alsologtostderr
- -v=1
- --monitoring-port=8443
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-images-public-pytorch-operator:vmaster-g518f9c76-4fc09
name: pytorch-operator
serviceAccountName: pytorch-operator
================================================
FILE: manifest1.3/030-mpi-job-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpijobs.kubeflow.org
spec:
group: kubeflow.org
names:
kind: MPIJob
plural: mpijobs
shortNames:
- mj
- mpij
singular: mpijob
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
description: Only one of gpus, processingUnits, or replicas should be specified
oneOf:
- properties:
gpus:
description: Valid values are 1, 2, 4, or any multiple of 8
oneOf:
- enum:
- 1
- 2
- 4
type: integer
- minimum: 8
multipleOf: 8
type: integer
title: Total number of GPUs
gpusPerNode:
description: Defaults to the number of GPUs per worker
minimum: 1
title: The maximum number of GPUs available per node
type: integer
slotsPerWorker:
description: Defaults to the number of processing units per worker
minimum: 1
title: The number of slots per worker used in hostfile
type: integer
required:
- gpus
- properties:
processingResourceType:
description: Defaults to 'nvidia.com/gpu'
enum:
- nvidia.com/gpu
- cpu
title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu'
type: string
processingUnits:
description: Valid values are 1, 2, 4, or any multiple of 8
oneOf:
- enum:
- 1
- 2
- 4
type: integer
- minimum: 8
multipleOf: 8
type: integer
title: Total number of processing units
processingUnitsPerNode:
description: Defaults to the number of processing units per worker
minimum: 1
title: The maximum number of processing units available per node
type: integer
slotsPerWorker:
description: Defaults to the number of processing units per worker
minimum: 1
title: The number of slots per worker used in hostfile
type: integer
required:
- processingUnits
- properties:
processingResourceType:
description: Defaults to 'nvidia.com/gpu'
enum:
- nvidia.com/gpu
- cpu
title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu'
type: string
replicas:
description: The processing resource limit should be specified for each replica
minimum: 1
title: Total number of replicas
type: integer
slotsPerWorker:
description: Defaults to the number of processing units per worker
minimum: 1
title: The number of slots per worker used in hostfile
type: integer
required:
- replicas
title: The MPIJob spec
served: false
storage: false
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
properties:
mpiReplicaSpecs:
properties:
Launcher:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
Worker:
properties:
replicas:
minimum: 1
type: integer
slotsPerWorker:
minimum: 1
type: integer
served: true
storage: false
- name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
mpiReplicaSpecs:
properties:
Launcher:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
Worker:
properties:
replicas:
minimum: 1
type: integer
slotsPerWorker:
minimum: 1
type: integer
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpi-operator
namespace: kubeflow
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-mpijobs-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true"
name: kubeflow-mpijobs-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- mpijobs
- mpijobs/status
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-mpijobs-view
rules:
- apiGroups:
- kubeflow.org
resources:
- mpijobs
- mpijobs/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpi-operator
rules:
- apiGroups:
- ""
resources:
- configmaps
- serviceaccounts
verbs:
- create
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- list
- update
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- list
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- list
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- apiGroups:
- kubeflow.org
resources:
- mpijobs
- mpijobs/finalizers
- mpijobs/status
verbs:
- '*'
- apiGroups:
- scheduling.incubator.k8s.io
- scheduling.sigs.dev
resources:
- queues
- podgroups
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpi-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mpi-operator
subjects:
- kind: ServiceAccount
name: mpi-operator
namespace: kubeflow
---
apiVersion: v1
data:
kubectl-delivery-image: mpioperator/kubectl-delivery:latest
lock-namespace: kubeflow
kind: ConfigMap
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpi-operator-config
namespace: kubeflow
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
name: mpi-operator
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: mpi-operator
app.kubernetes.io/component: mpijob
app.kubernetes.io/name: mpi-operator
kustomize.component: mpi-operator
spec:
containers:
- args:
- -alsologtostderr
- --lock-namespace
- kubeflow
- --kubectl-delivery-image
- mpioperator/kubectl-delivery:latest
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/mpioperator-mpi-operator:latest-d32b4
imagePullPolicy: Always
name: mpi-operator
serviceAccountName: mpi-operator
================================================
FILE: manifest1.3/031-mxnet-job-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
name: mxjobs.kubeflow.org
spec:
group: kubeflow.org
names:
kind: MXJob
plural: mxjobs
singular: mxjob
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
mxReplicaSpecs:
properties:
Scheduler:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
Server:
properties:
replicas:
minimum: 1
type: integer
Tuner:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
TunerServer:
properties:
replicas:
minimum: 1
type: integer
TunerTracker:
properties:
replicas:
maximum: 1
minimum: 1
type: integer
Worker:
properties:
replicas:
minimum: 1
type: integer
version: v1
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
name: mxnet-operator
namespace: kubeflow
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
name: kubeflow-mxjobs-admin
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: "true"
name: kubeflow-mxjobs-edit
rules:
- apiGroups:
- kubeflow.org
resources:
- mxjobs
- mxjobs/status
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
name: kubeflow-mxjobs-view
rules:
- apiGroups:
- kubeflow.org
resources:
- mxjobs
- mxjobs/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
name: mxnet-operator
rules:
- apiGroups:
- kubeflow.org
resources:
- mxjobs
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- pods
- services
- endpoints
- persistentvolumeclaims
- events
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
name: mxnet-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mxnet-operator
subjects:
- kind: ServiceAccount
name: mxnet-operator
namespace: kubeflow
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
name: mxnet-operator
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: mxnet-operator
app.kubernetes.io/component: mxnet
app.kubernetes.io/name: mxnet-operator
kustomize.component: mxnet-operator
spec:
containers:
- command:
- /opt/kubeflow/mxnet-operator.v1
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-mxnet-operator:v1.1.0-9863e
imagePullPolicy: Always
name: mxnet-operator
serviceAccountName: mxnet-operator
================================================
FILE: manifest1.3/032-xgboost-job-overlays-kubeflow.yaml
================================================
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
labels:
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboostjobs.xgboostjob.kubeflow.org
spec:
group: xgboostjob.kubeflow.org
names:
kind: XGBoostJob
listKind: XGBoostJobList
plural: xgboostjobs
singular: xgboostjob
scope: ""
validation:
openAPIV3Schema:
description: XGBoostJob is the Schema for the xgboostjobs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: XGBoostJobSpec defines the desired state of XGBoostJob
properties:
activeDeadlineSeconds:
description: Specifies the duration in seconds relative to the startTime that the job may be active before the system tries to terminate it; value must be positive integer.
format: int64
type: integer
backoffLimit:
description: Optional number of retries before marking this job failed.
format: int32
type: integer
cleanPodPolicy:
description: CleanPodPolicy defines the policy to kill pods after the job completes. Default to Running.
type: string
schedulingPolicy:
description: SchedulingPolicy defines the policy related to scheduling, e.g. gang-scheduling
properties:
minAvailable:
format: int32
type: integer
type: object
ttlSecondsAfterFinished:
description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since reconcile gets called periodically. Default to infinite.
format: int32
type: integer
xgbReplicaSpecs:
additionalProperties:
description: ReplicaSpec is a description of the replica
properties:
replicas:
description: Replicas is the desired number of replicas of the given template. If unspecified, defaults to 1.
format: int32
type: integer
restartPolicy:
description: Restart policy for all replicas within the job. One of Always, OnFailure, Never and ExitCode. Default to Never.
type: string
template:
description: Template is the object that describes the pod that will be created for this replica. RestartPolicy in PodTemplateSpec will be overide by RestartPolicy in ReplicaSpec
properties:
metadata:
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
type: object
spec:
description: 'Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
properties:
activeDeadlineSeconds:
description: Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
format: int64
type: integer
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
items:
description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms. The terms are ORed.
items:
description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements by node's labels.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements by node's fields.
items:
description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources, in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
automountServiceAccountToken:
description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
type: boolean
containers:
description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.
items:
description: A single application container that you want to run within a pod.
properties:
args:
description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
command:
description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
env:
description: List of environment variables to set in the container. Cannot be updated.
items:
description: EnvVar represents an environment variable present in a Container.
properties:
name:
description: Name of the environment variable. Must be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value. Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
items:
description: EnvFromSource represents the source of a set of ConfigMaps
properties:
configMapRef:
description: The ConfigMap to select from
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap must be defined
type: boolean
type: object
prefix:
description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
type: string
secretRef:
description: The Secret to select from
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret must be defined
type: boolean
type: object
type: object
type: array
image:
description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.'
type: string
imagePullPolicy:
description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
type: string
lifecycle:
description: Actions that the management system should take in response to container lifecycle events. Cannot be updated.
properties:
postStart:
description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
type: object
preStop:
description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
type: object
type: object
livenessProbe:
description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
name:
description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.
type: string
ports:
description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.
items:
description: ContainerPort represents a network port in a single container.
properties:
containerPort:
description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
description: What host IP to bind the external port to.
type: string
hostPort:
description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
format: int32
type: integer
name:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
- containerPort
type: object
type: array
readinessProbe:
description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
resources:
description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
properties:
limits:
additionalProperties:
type: string
description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
type: string
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
securityContext:
description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
properties:
allowPrivilegeEscalation:
description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN'
type: boolean
capabilities:
description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.
type: boolean
procMount:
description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
level:
description: Level is SELinux level label that applies to the container.
type: string
role:
description: Role is a SELinux role label that applies to the container.
type: string
type:
description: Type is a SELinux type label that applies to the container.
type: string
user:
description: User is a SELinux user label that applies to the container.
type: string
type: object
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
runAsUserName:
description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.
type: string
type: object
type: object
startupProbe:
description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
stdin:
description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
type: boolean
stdinOnce:
description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
type: boolean
terminationMessagePath:
description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.'
type: string
terminationMessagePolicy:
description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
type: string
tty:
description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.
type: boolean
volumeDevices:
description: volumeDevices is the list of block devices to be used by the container. This is a beta feature.
items:
description: volumeDevice describes a mapping of a raw block device within a container.
properties:
devicePath:
description: devicePath is the path inside of the container that the device will be mapped to.
type: string
name:
description: name must match the name of a persistentVolumeClaim in the pod
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
description: Pod volumes to mount into the container's filesystem. Cannot be updated.
items:
description: VolumeMount describes a mounting of a Volume within a container.
properties:
mountPath:
description: Path within the container at which the volume should be mounted. Must not contain ':'.
type: string
mountPropagation:
description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
type: boolean
subPath:
description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).
type: string
subPathExpr:
description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15.
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.
type: string
required:
- name
type: object
type: array
dnsConfig:
description: Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
properties:
nameservers:
description: A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.
items:
type: string
type: array
options:
description: A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.
items:
description: PodDNSConfigOption defines DNS resolver options of a pod.
properties:
name:
description: Required.
type: string
value:
type: string
type: object
type: array
searches:
description: A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.
items:
type: string
type: array
type: object
dnsPolicy:
description: Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.
type: string
enableServiceLinks:
description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.'
type: boolean
ephemeralContainers:
description: List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.
items:
description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag.
properties:
args:
description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
command:
description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
env:
description: List of environment variables to set in the container. Cannot be updated.
items:
description: EnvVar represents an environment variable present in a Container.
properties:
name:
description: Name of the environment variable. Must be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value. Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
items:
description: EnvFromSource represents the source of a set of ConfigMaps
properties:
configMapRef:
description: The ConfigMap to select from
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap must be defined
type: boolean
type: object
prefix:
description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
type: string
secretRef:
description: The Secret to select from
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret must be defined
type: boolean
type: object
type: object
type: array
image:
description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images'
type: string
imagePullPolicy:
description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
type: string
lifecycle:
description: Lifecycle is not allowed for ephemeral containers.
properties:
postStart:
description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
type: object
preStop:
description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
type: object
type: object
livenessProbe:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
name:
description: Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.
type: string
ports:
description: Ports are not allowed for ephemeral containers.
items:
description: ContainerPort represents a network port in a single container.
properties:
containerPort:
description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
description: What host IP to bind the external port to.
type: string
hostPort:
description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
format: int32
type: integer
name:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
- containerPort
type: object
type: array
readinessProbe:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
resources:
description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.
properties:
limits:
additionalProperties:
type: string
description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
type: string
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
securityContext:
description: SecurityContext is not allowed for ephemeral containers.
properties:
allowPrivilegeEscalation:
description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN'
type: boolean
capabilities:
description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.
type: boolean
procMount:
description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
level:
description: Level is SELinux level label that applies to the container.
type: string
role:
description: Role is a SELinux role label that applies to the container.
type: string
type:
description: Type is a SELinux type label that applies to the container.
type: string
user:
description: User is a SELinux user label that applies to the container.
type: string
type: object
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
runAsUserName:
description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.
type: string
type: object
type: object
startupProbe:
description: Probes are not allowed for ephemeral containers.
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
stdin:
description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
type: boolean
stdinOnce:
description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
type: boolean
targetContainerName:
description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature.
type: string
terminationMessagePath:
description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.'
type: string
terminationMessagePolicy:
description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
type: string
tty:
description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.
type: boolean
volumeDevices:
description: volumeDevices is the list of block devices to be used by the container. This is a beta feature.
items:
description: volumeDevice describes a mapping of a raw block device within a container.
properties:
devicePath:
description: devicePath is the path inside of the container that the device will be mapped to.
type: string
name:
description: name must match the name of a persistentVolumeClaim in the pod
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
description: Pod volumes to mount into the container's filesystem. Cannot be updated.
items:
description: VolumeMount describes a mounting of a Volume within a container.
properties:
mountPath:
description: Path within the container at which the volume should be mounted. Must not contain ':'.
type: string
mountPropagation:
description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
type: boolean
subPath:
description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).
type: string
subPathExpr:
description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15.
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.
type: string
required:
- name
type: object
type: array
hostAliases:
description: HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.
items:
description: HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.
properties:
hostnames:
description: Hostnames for the above IP address.
items:
type: string
type: array
ip:
description: IP address of the host file entry.
type: string
type: object
type: array
hostIPC:
description: 'Use the host''s ipc namespace. Optional: Default to false.'
type: boolean
hostNetwork:
description: Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.
type: boolean
hostPID:
description: 'Use the host''s pid namespace. Optional: Default to false.'
type: boolean
hostname:
description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
type: string
imagePullSecrets:
description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
items:
description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: array
initContainers:
description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/'
items:
description: A single application container that you want to run within a pod.
properties:
args:
description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
command:
description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
items:
type: string
type: array
env:
description: List of environment variables to set in the container. Cannot be updated.
items:
description: EnvVar represents an environment variable present in a Container.
properties:
name:
description: Name of the environment variable. Must be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value. Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
envFrom:
description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
items:
description: EnvFromSource represents the source of a set of ConfigMaps
properties:
configMapRef:
description: The ConfigMap to select from
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap must be defined
type: boolean
type: object
prefix:
description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
type: string
secretRef:
description: The Secret to select from
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret must be defined
type: boolean
type: object
type: object
type: array
image:
description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.'
type: string
imagePullPolicy:
description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
type: string
lifecycle:
description: Actions that the management system should take in response to container lifecycle events. Cannot be updated.
properties:
postStart:
description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
type: object
preStop:
description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
type: object
type: object
livenessProbe:
description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
name:
description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.
type: string
ports:
description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.
items:
description: ContainerPort represents a network port in a single container.
properties:
containerPort:
description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
description: What host IP to bind the external port to.
type: string
hostPort:
description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.
format: int32
type: integer
name:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
- containerPort
type: object
type: array
readinessProbe:
description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
resources:
description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
properties:
limits:
additionalProperties:
type: string
description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
type: string
description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
securityContext:
description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
properties:
allowPrivilegeEscalation:
description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN'
type: boolean
capabilities:
description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.
type: boolean
procMount:
description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
level:
description: Level is SELinux level label that applies to the container.
type: string
role:
description: Role is a SELinux role label that applies to the container.
type: string
type:
description: Type is a SELinux type label that applies to the container.
type: string
user:
description: User is a SELinux user label that applies to the container.
type: string
type: object
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
runAsUserName:
description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.
type: string
type: object
type: object
startupProbe:
description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties:
exec:
description: One and only one of the following should be specified. Exec specifies the action to take.
properties:
command:
description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
format: int32
type: integer
httpGet:
description: HTTPGet specifies the http request to perform.
properties:
host:
description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in the request. HTTP allows repeated headers.
items:
description: HTTPHeader describes a custom header to be used in HTTP probes
properties:
name:
description: The header field name
type: string
value:
description: The header field value
type: string
required:
- name
- value
type: object
type: array
path:
description: Path to access on the HTTP server.
type: string
port:
anyOf:
- type: string
- type: integer
description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
scheme:
description: Scheme to use for connecting to the host. Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook'
properties:
host:
description: 'Optional: Host name to connect to, defaults to the pod IP.'
type: string
port:
anyOf:
- type: string
- type: integer
description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
required:
- port
type: object
timeoutSeconds:
description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
format: int32
type: integer
type: object
stdin:
description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
type: boolean
stdinOnce:
description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
type: boolean
terminationMessagePath:
description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.'
type: string
terminationMessagePolicy:
description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.
type: string
tty:
description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.
type: boolean
volumeDevices:
description: volumeDevices is the list of block devices to be used by the container. This is a beta feature.
items:
description: volumeDevice describes a mapping of a raw block device within a container.
properties:
devicePath:
description: devicePath is the path inside of the container that the device will be mapped to.
type: string
name:
description: name must match the name of a persistentVolumeClaim in the pod
type: string
required:
- devicePath
- name
type: object
type: array
volumeMounts:
description: Pod volumes to mount into the container's filesystem. Cannot be updated.
items:
description: VolumeMount describes a mounting of a Volume within a container.
properties:
mountPath:
description: Path within the container at which the volume should be mounted. Must not contain ':'.
type: string
mountPropagation:
description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
type: boolean
subPath:
description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).
type: string
subPathExpr:
description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15.
type: string
required:
- mountPath
- name
type: object
type: array
workingDir:
description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.
type: string
required:
- name
type: object
type: array
nodeName:
description: NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
type: string
nodeSelector:
additionalProperties:
type: string
description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
overhead:
additionalProperties:
type: string
description: 'Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.'
type: object
preemptionPolicy:
description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature.
type: string
priority:
description: The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.
format: int32
type: integer
priorityClassName:
description: If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.
type: string
readinessGates:
description: 'If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md'
items:
description: PodReadinessGate contains the reference to a pod condition
properties:
conditionType:
description: ConditionType refers to a condition in the pod's condition list with matching type.
type: string
required:
- conditionType
type: object
type: array
restartPolicy:
description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy'
type: string
runtimeClassName:
description: 'RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.'
type: string
schedulerName:
description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
type: string
securityContext:
description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.'
properties:
fsGroup:
description: "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \n If unset, the Kubelet will not modify the ownership and permissions of any volume."
format: int64
type: integer
runAsGroup:
description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
properties:
level:
description: Level is SELinux level label that applies to the container.
type: string
role:
description: Role is a SELinux role label that applies to the container.
type: string
type:
description: Type is a SELinux type label that applies to the container.
type: string
user:
description: User is a SELinux user label that applies to the container.
type: string
type: object
supplementalGroups:
description: A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag.
type: string
runAsUserName:
description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag.
type: string
type: object
type: object
serviceAccount:
description: 'DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.'
type: string
serviceAccountName:
description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/'
type: string
shareProcessNamespace:
description: 'Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. This field is beta-level and may be disabled with the PodShareProcessNamespace feature.'
type: boolean
subdomain:
description: If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all.
type: string
terminationGracePeriodSeconds:
description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.
format: int64
type: integer
tolerations:
description: If specified, the pod's tolerations.
items:
description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
properties:
effect:
description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
topologySpreadConstraints:
description: TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread feature. All topologySpreadConstraints are ANDed.
items:
description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
properties:
labelSelector:
description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
maxSkew:
description: 'MaxSkew describes the degree to which pods may be unevenly distributed. It''s the maximum permitted difference between the number of matching pods in any two topology domains of a given topology type. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. It''s a required field. Default value is 1 and 0 is not allowed.'
format: int32
type: integer
topologyKey:
description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. It's a required field.
type: string
whenUnsatisfiable:
description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it - ScheduleAnyway tells the scheduler to still schedule it It''s considered as "Unsatisfiable" if and only if placing incoming pod on any topology violates "MaxSkew". For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.'
type: string
required:
- maxSkew
- topologyKey
- whenUnsatisfiable
type: object
type: array
volumes:
description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes'
items:
description: Volume represents a named volume in a pod that may be accessed by any container in the pod.
properties:
awsElasticBlockStore:
description: 'AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
properties:
fsType:
description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine'
type: string
partition:
description: 'The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).'
format: int32
type: integer
readOnly:
description: 'Specify "true" to force and set the ReadOnly property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
type: boolean
volumeID:
description: 'Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
type: string
required:
- volumeID
type: object
azureDisk:
description: AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
properties:
cachingMode:
description: 'Host Caching mode: None, Read Only, Read Write.'
type: string
diskName:
description: The Name of the data disk in the blob storage
type: string
diskURI:
description: The URI the data disk in the blob storage
type: string
fsType:
description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
kind:
description: 'Expected values Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared'
type: string
readOnly:
description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
type: boolean
required:
- diskName
- diskURI
type: object
azureFile:
description: AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
properties:
readOnly:
description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
type: boolean
secretName:
description: the name of secret that contains Azure Storage Account Name and Key
type: string
shareName:
description: Share Name
type: string
required:
- secretName
- shareName
type: object
cephfs:
description: CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
properties:
monitors:
description: 'Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
items:
type: string
type: array
path:
description: 'Optional: Used as the mounted root, rather than the full Ceph tree, default is /'
type: string
readOnly:
description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
type: boolean
secretFile:
description: 'Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
type: string
secretRef:
description: 'Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
user:
description: 'Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
type: string
required:
- monitors
type: object
cinder:
description: 'Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
properties:
fsType:
description: 'Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
type: string
readOnly:
description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
type: boolean
secretRef:
description: 'Optional: points to a secret object containing parameters used to connect to OpenStack.'
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
volumeID:
description: 'volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
type: string
required:
- volumeID
type: object
configMap:
description: ConfigMap represents a configMap that should populate this volume
properties:
defaultMode:
description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
items:
description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a volume.
properties:
key:
description: The key to project.
type: string
mode:
description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
path:
description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its keys must be defined
type: boolean
type: object
csi:
description: CSI (Container Storage Interface) represents storage that is handled by an external CSI driver (Alpha feature).
properties:
driver:
description: Driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.
type: string
fsType:
description: Filesystem type to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.
type: string
nodePublishSecretRef:
description: NodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
readOnly:
description: Specifies a read-only configuration for the volume. Defaults to false (read/write).
type: boolean
volumeAttributes:
additionalProperties:
type: string
description: VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.
type: object
required:
- driver
type: object
downwardAPI:
description: DownwardAPI represents downward API about the pod that should populate this volume
properties:
defaultMode:
description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
items:
description: Items is a list of downward API volume file
items:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
mode:
description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
path:
description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
type: string
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
emptyDir:
description: 'EmptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
properties:
medium:
description: 'What type of storage medium should back this directory. The default is "" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
type: string
sizeLimit:
description: 'Total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir'
type: string
type: object
fc:
description: FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
properties:
fsType:
description: 'Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine'
type: string
lun:
description: 'Optional: FC target lun number'
format: int32
type: integer
readOnly:
description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.'
type: boolean
targetWWNs:
description: 'Optional: FC target worldwide names (WWNs)'
items:
type: string
type: array
wwids:
description: 'Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.'
items:
type: string
type: array
type: object
flexVolume:
description: FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
properties:
driver:
description: Driver is the name of the driver to use for this volume.
type: string
fsType:
description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
type: string
options:
additionalProperties:
type: string
description: 'Optional: Extra command options if any.'
type: object
readOnly:
description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.'
type: boolean
secretRef:
description: 'Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.'
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
required:
- driver
type: object
flocker:
description: Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
properties:
datasetName:
description: Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
type: string
datasetUUID:
description: UUID of the dataset. This is unique identifier of a Flocker dataset
type: string
type: object
gcePersistentDisk:
description: 'GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
properties:
fsType:
description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine'
type: string
partition:
description: 'The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
format: int32
type: integer
pdName:
description: 'Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
type: string
readOnly:
description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
type: boolean
required:
- pdName
type: object
gitRepo:
description: 'GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.'
properties:
directory:
description: Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.
type: string
repository:
description: Repository URL
type: string
revision:
description: Commit hash for the specified revision.
type: string
required:
- repository
type: object
glusterfs:
description: 'Glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md'
properties:
endpoints:
description: 'EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
type: string
path:
description: 'Path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
type: string
readOnly:
description: 'ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
type: boolean
required:
- endpoints
- path
type: object
hostPath:
description: 'HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.'
properties:
path:
description: 'Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
type: string
type:
description: 'Type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
type: string
required:
- path
type: object
iscsi:
description: 'ISCSI represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md'
properties:
chapAuthDiscovery:
description: whether support iSCSI Discovery CHAP authentication
type: boolean
chapAuthSession:
description: whether support iSCSI Session CHAP authentication
type: boolean
fsType:
description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine'
type: string
initiatorName:
description: Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.
type: string
iqn:
description: Target iSCSI Qualified Name.
type: string
iscsiInterface:
description: iSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).
type: string
lun:
description: iSCSI Target Lun number.
format: int32
type: integer
portals:
description: iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
items:
type: string
type: array
readOnly:
description: ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.
type: boolean
secretRef:
description: CHAP Secret for iSCSI target and initiator authentication
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
targetPortal:
description: iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
type: string
required:
- iqn
- lun
- targetPortal
type: object
name:
description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
nfs:
description: 'NFS represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
properties:
path:
description: 'Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
type: string
readOnly:
description: 'ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
type: boolean
server:
description: 'Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
description: 'PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
properties:
claimName:
description: 'ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
type: string
readOnly:
description: Will force the ReadOnly setting in VolumeMounts. Default false.
type: boolean
required:
- claimName
type: object
photonPersistentDisk:
description: PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
properties:
fsType:
description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
pdID:
description: ID that identifies Photon Controller persistent disk
type: string
required:
- pdID
type: object
portworxVolume:
description: PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
properties:
fsType:
description: FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
type: boolean
volumeID:
description: VolumeID uniquely identifies a Portworx volume
type: string
required:
- volumeID
type: object
projected:
description: Items for all in one resources secrets, configmaps, and downward API
properties:
defaultMode:
description: Mode bits to use on created files by default. Must be a value between 0 and 0777. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
sources:
description: list of volume projections
items:
description: Projection that may be projected along with other supported volume types
properties:
configMap:
description: information about the configMap data to project
properties:
items:
description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a volume.
properties:
key:
description: The key to project.
type: string
mode:
description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
path:
description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its keys must be defined
type: boolean
type: object
downwardAPI:
description: information about the downwardAPI data to project
properties:
items:
description: Items is a list of DownwardAPIVolume file
items:
description: DownwardAPIVolumeFile represents information to create the file containing the pod field
properties:
fieldRef:
description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
mode:
description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
path:
description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
type: string
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
required:
- path
type: object
type: array
type: object
secret:
description: information about the secret data to project
properties:
items:
description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a volume.
properties:
key:
description: The key to project.
type: string
mode:
description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
path:
description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
type: object
serviceAccountToken:
description: information about the serviceAccountToken data to project
properties:
audience:
description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
type: string
expirationSeconds:
description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.
format: int64
type: integer
path:
description: Path is the path relative to the mount point of the file to project the token into.
type: string
required:
- path
type: object
type: object
type: array
required:
- sources
type: object
quobyte:
description: Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
properties:
group:
description: Group to map volume access to Default is no group
type: string
readOnly:
description: ReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
type: boolean
registry:
description: Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
type: string
tenant:
description: Tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin
type: string
user:
description: User to map volume access to Defaults to serivceaccount user
type: string
volume:
description: Volume is a string that references an already created Quobyte volume by name.
type: string
required:
- registry
- volume
type: object
rbd:
description: 'RBD represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md'
properties:
fsType:
description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine'
type: string
image:
description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
type: string
keyring:
description: 'Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
type: string
monitors:
description: 'A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
items:
type: string
type: array
pool:
description: 'The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
type: string
readOnly:
description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
type: boolean
secretRef:
description: 'SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
user:
description: 'The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
type: string
required:
- image
- monitors
type: object
scaleIO:
description: ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
properties:
fsType:
description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".
type: string
gateway:
description: The host address of the ScaleIO API Gateway.
type: string
protectionDomain:
description: The name of the ScaleIO Protection Domain for the configured storage.
type: string
readOnly:
description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
sslEnabled:
description: Flag to enable/disable SSL communication with Gateway, default false
type: boolean
storageMode:
description: Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.
type: string
storagePool:
description: The ScaleIO Storage Pool associated with the protection domain.
type: string
system:
description: The name of the storage system as configured in ScaleIO.
type: string
volumeName:
description: The name of a volume already created in the ScaleIO system that is associated with this volume source.
type: string
required:
- gateway
- secretRef
- system
type: object
secret:
description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
properties:
defaultMode:
description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
items:
description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a volume.
properties:
key:
description: The key to project.
type: string
mode:
description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.'
format: int32
type: integer
path:
description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
optional:
description: Specify whether the Secret or its keys must be defined
type: boolean
secretName:
description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
type: string
type: object
storageos:
description: StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
properties:
fsType:
description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: SecretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
volumeName:
description: VolumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.
type: string
volumeNamespace:
description: VolumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.
type: string
type: object
vsphereVolume:
description: VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
properties:
fsType:
description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
storagePolicyID:
description: Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
type: string
storagePolicyName:
description: Storage Policy Based Management (SPBM) profile name.
type: string
volumePath:
description: Path that identifies vSphere volume vmdk
type: string
required:
- volumePath
type: object
required:
- name
type: object
type: array
required:
- containers
type: object
type: object
type: object
type: object
required:
- xgbReplicaSpecs
type: object
status:
description: XGBoostJobStatus defines the observed state of XGBoostJob
properties:
completionTime:
description: Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.
format: date-time
type: string
conditions:
description: Conditions is an array of current observed job conditions.
items:
description: JobCondition describes the state of the job at a certain point.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another.
format: date-time
type: string
lastUpdateTime:
description: The last time this condition was updated.
format: date-time
type: string
message:
description: A human readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of job condition.
type: string
required:
- status
- type
type: object
type: array
lastReconcileTime:
description: Represents last time when the job was reconciled. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.
format: date-time
type: string
replicaStatuses:
additionalProperties:
description: ReplicaStatus represents the current observed state of the replica.
properties:
active:
description: The number of actively running pods.
format: int32
type: integer
failed:
description: The number of pods which reached phase Failed.
format: int32
type: integer
succeeded:
description: The number of pods which reached phase Succeeded.
format: int32
type: integer
type: object
description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, specifies the status of each replica.
type: object
startTime:
description: Represents time when the job was acknowledged by the job controller. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.
format: date-time
type: string
required:
- conditions
- replicaStatuses
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboost-operator-service-account
namespace: kubeflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboost-operator-cluster-role
rules:
- apiGroups:
- apps
resources:
- deployments
- deployments/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- xgboostjob.kubeflow.org
resources:
- xgboostjobs
- xgboostjobs/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- events
- namespaces
- persistentvolumeclaims
- pods
- secrets
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboost-operator-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: xgboost-operator-cluster-role
subjects:
- kind: ServiceAccount
name: xgboost-operator-service-account
namespace: kubeflow
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboost-operator-xgboost-operator-config-6ct58987ht
namespace: kubeflow
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: xgboost-operator
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboost-operator-service
namespace: kubeflow
spec:
ports:
- port: 443
selector:
app: xgboost-operator
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
name: xgboost-operator-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: xgboost-operator
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
template:
metadata:
labels:
app: xgboost-operator
app.kubernetes.io/component: xgboostjob
app.kubernetes.io/name: xgboost-operator
spec:
containers:
- command:
- /root/manager
- -mode=in-cluster
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/kubeflow-xgboost-operator:v0.2.0-c368f
imagePullPolicy: Always
name: xgboost-operator
serviceAccountName: xgboost-operator-service-account
================================================
FILE: manifest1.3/033-user-namespace-user-namespace-base.yaml
================================================
apiVersion: v1
data:
profile-name: kubeflow-user-example-com
user: user@example.com
kind: ConfigMap
metadata:
name: default-install-config-9h2h2b6hbk
---
apiVersion: kubeflow.org/v1beta1
kind: Profile
metadata:
name: kubeflow-user-example-com
spec:
owner:
kind: User
name: user@example.com
================================================
FILE: patch/auth.yaml
================================================
apiVersion: v1
data:
config.yaml: |
issuer: http://dex.auth.svc.cluster.local:5556/dex
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
logger:
level: "debug"
format: text
oauth2:
skipApprovalScreen: true
enablePasswordDB: true
staticPasswords:
- email: "admin@example.com"
# hash string is "password"
hash: "$2y$12$X.oNHMsIfRSq35eRfiTYV.dPIYlWyPDRRc1.JVp0f3c.YqqJNW4uK"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
staticClients:
# https://github.com/dexidp/dex/pull/1664
- idEnv: OIDC_CLIENT_ID
redirectURIs: ["/login/oidc"]
name: 'Dex Login Application'
secretEnv: OIDC_CLIENT_SECRET
kind: ConfigMap
metadata:
name: dex
namespace: auth
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: dex
name: dex
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: dex
template:
metadata:
labels:
app: dex
spec:
containers:
- command:
- dex
- serve
- /etc/dex/cfg/config.yaml
envFrom:
- secretRef:
name: dex-oidc-client
env:
- name: KUBERNETES_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/dexidp-dex:v2.24.0-bb0b9
name: dex
ports:
- containerPort: 5556
name: http
volumeMounts:
- mountPath: /etc/dex/cfg
name: config
serviceAccountName: dex
volumes:
- configMap:
items:
- key: config.yaml
path: config.yaml
name: dex
name: config
---
apiVersion: v1
data:
profile-name: kubeflow-user-example-com
user: admin@example.com
kind: ConfigMap
metadata:
name: default-install-config-9h2h2b6hbk
---
apiVersion: kubeflow.org/v1beta1
kind: Profile
metadata:
name: kubeflow-user-example-com
spec:
owner:
kind: User
name: admin@example.com
================================================
FILE: patch/cluster-local-gateway.yaml
================================================
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cluster-local-gateway
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: cluster-local-gateway
namespace: istio-system
spec:
selector:
matchLabels:
app: cluster-local-gateway
istio: cluster-local-gateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: cluster-local-gateway
chart: gateways
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
service.istio.io/canonical-name: cluster-local-gateway
service.istio.io/canonical-revision: latest
sidecar.istio.io/inject: "false"
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --serviceCluster
- cluster-local-gateway
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: cluster-local-gateway
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74
name: istio-proxy
ports:
- containerPort: 15020
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
securityContext:
fsGroup: 1337
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: cluster-local-gateway-service-account
volumes:
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
- path: cpu-limit
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: limits.cpu
- path: cpu-request
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: requests.cpu
name: podinfo
- emptyDir: {}
name: istio-envoy
- emptyDir: {}
name: istio-data
- configMap:
name: istio
optional: true
name: config-volume
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
================================================
FILE: patch/data.yaml
================================================
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: minio
application-crd-id: kubeflow-pipelines
name: minio
namespace: kubeflow
spec:
selector:
matchLabels:
app: minio
application-crd-id: kubeflow-pipelines
strategy:
type: Recreate
template:
metadata:
labels:
app: minio
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- server
- /data
env:
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: mlpipeline-minio-artifact
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: mlpipeline-minio-artifact
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-minio:RELEASE.2019-08-14T20-37-41Z-license-compliance-290a7
name: minio
ports:
- containerPort: 9000
resources:
requests:
cpu: 20m
memory: 100Mi
volumeMounts:
- mountPath: /data
name: data
subPath: minio
volumes:
- name: data
emptyDir:
{}
================================================
FILE: patch/envoy-filter.yaml
================================================
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authn-filter
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: ""
match:
context: GATEWAY
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
authorization_request:
allowed_headers:
patterns:
- exact: authorization
- exact: cookie
- exact: x-auth-token
authorization_response:
allowed_upstream_headers:
patterns:
- exact: kubeflow-userid
server_uri:
cluster: outbound|8080||authservice.istio-system.svc.cluster.local
timeout: 10s
uri: http://authservice.istio-system.svc.cluster.local
workloadSelector:
labels:
istio: ingressgateway
================================================
FILE: patch/istio-ingressgateway.yaml
================================================
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: istio-ingressgateway
chart: gateways
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
service.istio.io/canonical-name: istio-ingressgateway
service.istio.io/canonical-revision: latest
sidecar.istio.io/inject: "false"
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --serviceCluster
- istio-ingressgateway
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: istio-ingressgateway
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
- name: ISTIO_META_ROUTER_MODE
value: standard
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-proxyv2:1.9.0-e8a74
name: istio-proxy
ports:
- containerPort: 15021
protocol: TCP
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 31400
protocol: TCP
- containerPort: 15443
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
securityContext:
fsGroup: 1337
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: istio-ingressgateway-service-account
volumes:
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
- path: cpu-limit
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: limits.cpu
- path: cpu-request
resourceFieldRef:
containerName: istio-proxy
divisor: 1m
resource: requests.cpu
name: podinfo
- emptyDir: {}
name: istio-envoy
- emptyDir: {}
name: istio-data
- configMap:
name: istio
optional: true
name: config-volume
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
================================================
FILE: patch/istiod.yaml
================================================
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istiod
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istiod
namespace: istio-system
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
istio: pilot
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
creationTimestamp: null
labels:
app: istiod
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
operator.istio.io/component: Pilot
sidecar.istio.io/inject: "false"
spec:
containers:
- args:
- discovery
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --keepaliveMaxServerConnectionAge
- 30m
env:
- name: REVISION
value: default
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
- name: PILOT_TRACE_SAMPLING
value: "100"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "true"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "true"
- name: ISTIOD_ADDR
value: istiod.istio-system.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "false"
- name: CLUSTER_ID
value: Kubernetes
- name: EXTERNAL_ISTIOD
value: "false"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/istio-pilot:1.9.0-9d4e9
imagePullPolicy: IfNotPresent
name: discovery
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /ready
port: 8080
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 5
resources:
requests:
cpu: 10m
memory: 100Mi
securityContext:
capabilities:
drop:
- ALL
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/istio/config
name: config-volume
- mountPath: /var/run/secrets/istio-dns
name: local-certs
- mountPath: /etc/cacerts
name: cacerts
readOnly: true
- mountPath: /var/run/secrets/remote
name: istio-kubeconfig
readOnly: true
- mountPath: /var/lib/istio/inject
name: inject
readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1337
serviceAccount: istiod-service-account
serviceAccountName: istiod-service-account
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
medium: Memory
name: local-certs
- name: cacerts
secret:
defaultMode: 420
optional: true
secretName: cacerts
- name: istio-kubeconfig
secret:
defaultMode: 420
optional: true
secretName: istio-kubeconfig
- configMap:
defaultMode: 420
name: istio-sidecar-injector
name: inject
- configMap:
defaultMode: 420
name: istio
name: config-volume
---
apiVersion: v1
data:
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
defaultTemplates: [sidecar]
policy: enabled
alwaysInjectSelector:
[]
neverInjectSelector:
[]
injectedAnnotations:
template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}"
templates:
sidecar: |
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{ end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
{{- end }}
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
{{- end }}
}
spec:
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if .Values.istio_cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- istio-iptables
- "-p"
- "15001"
- "-z"
- "15006"
- "-u"
- "1337"
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else }}
- "15090,15021"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- "-q"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{ end -}}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not .Values.istio_cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
{{- if not .Values.istio_cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
- --concurrency
- "{{ .ProxyConfig.Concurrency.GetValue }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- else if $holdProxy }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end }}
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
values: |-
{
"global": {
"arch": {
"amd64": 2,
"ppc64le": 2,
"s390x": 2
},
"caAddress": "",
"configValidation": true,
"defaultNodeSelector": {},
"defaultPodDisruptionBudget": {
"enabled": true
},
"defaultResources": {
"requests": {
"cpu": "10m"
}
},
"enabled": true,
"externalIstiod": false,
"hub": "docker.io/istio",
"imagePullPolicy": "",
"imagePullSecrets": [],
"istioNamespace": "istio-system",
"istiod": {
"enableAnalysis": false
},
"jwtPolicy": "first-party-jwt",
"logAsJson": false,
"logging": {
"level": "default:info"
},
"meshID": "",
"meshNetworks": {},
"mountMtlsCerts": false,
"multiCluster": {
"clusterName": "",
"enabled": false
},
"namespace": "istio-system",
"network": "",
"omitSidecarInjectorConfigMap": false,
"oneNamespace": false,
"operatorManageWebhooks": false,
"pilotCertProvider": "istiod",
"priorityClassName": "",
"proxy": {
"autoInject": "enabled",
"clusterDomain": "cluster.local",
"componentLogLevel": "misc:error",
"enableCoreDump": false,
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
"holdApplicationUntilProxyStarts": false,
"image": "proxyv2",
"includeIPRanges": "*",
"logLevel": "warning",
"privileged": false,
"readinessFailureThreshold": 30,
"readinessInitialDelaySeconds": 1,
"readinessPeriodSeconds": 2,
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "10m",
"memory": "40Mi"
}
},
"statusPort": 15020,
"tracer": "zipkin"
},
"proxy_init": {
"image": "proxyv2",
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "10m",
"memory": "10Mi"
}
}
},
"remotePilotAddress": "",
"sds": {
"token": {
"aud": "istio-ca"
}
},
"sts": {
"servicePort": 0
},
"tag": "1.9.0",
"tracer": {
"datadog": {
"address": "$(HOST_IP):8126"
},
"lightstep": {
"accessToken": "",
"address": ""
},
"stackdriver": {
"debug": false,
"maxNumberOfAnnotations": 200,
"maxNumberOfAttributes": 200,
"maxNumberOfMessageEvents": 200
},
"zipkin": {
"address": ""
}
},
"trustDomain": "",
"useMCP": false
},
"istio_cni": {
"enabled": false
},
"revision": "",
"sidecarInjectorWebhook": {
"alwaysInjectSelector": [],
"defaultTemplates": [],
"enableNamespacesByDefault": false,
"injectedAnnotations": {},
"neverInjectSelector": [],
"objectSelector": {
"autoInject": true,
"enabled": true
},
"rewriteAppHTTPProbe": true,
"templates": {},
"useLegacySelectors": true
}
}
kind: ConfigMap
metadata:
labels:
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
release: istio
name: istio-sidecar-injector
namespace: istio-system
================================================
FILE: patch/jupyter-web-app.yaml
================================================
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
name: jupyter-web-app-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: jupyter-web-app
kustomize.component: jupyter-web-app
spec:
containers:
- env:
- name: APP_PREFIX
value: /jupyter
- name: UI
value: default
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
- name: APP_DISABLE_AUTH
value: "True"
# This gets rid of erro: Could not find CSRF cookie XSRF-TOKEN in the request
- name: APP_SECURE_COOKIES
value: "False"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-jupyter-web-app:v1.3.0-rc.0-70edb
name: jupyter-web-app
ports:
- containerPort: 5000
volumeMounts:
- mountPath: /etc/config
name: config-volume
serviceAccountName: jupyter-web-app-service-account
volumes:
- configMap:
name: jupyter-web-app-config-tkhtgh5mcm
name: config-volume
================================================
FILE: patch/kfserving.yaml
================================================
apiVersion: caching.internal.knative.dev/v1alpha1
kind: Image
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: queue-proxy
namespace: knative-serving
spec:
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/knative-serving-queue:v0.14.3
---
apiVersion: v1
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# List of repositories for which tag to digest resolving should be skipped
registriesSkippingTagResolving: "ko.local,dev.local"
queueSidecarImage: registry.cn-shenzhen.aliyuncs.com/tensorbytes/knative-serving-queue:v0.14.3
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: knative-serving-install
app.kubernetes.io/name: knative-serving-install
kustomize.component: knative
serving.knative.dev/release: v0.14.3
name: config-deployment
namespace: knative-serving
---
apiVersion: v1
data:
agent: |-
{
"image" : "kfserving/agent:v0.5.1",
"memoryRequest": "100Mi",
"memoryLimit": "1Gi",
"cpuRequest": "100m",
"cpuLimit": "1"
}
batcher: |-
{
"image" : "kfserving/agent:v0.5.1",
"memoryRequest": "1Gi",
"memoryLimit": "1Gi",
"cpuRequest": "1",
"cpuLimit": "1"
}
credentials: |-
{
"gcs": {
"gcsCredentialFileName": "gcloud-application-credentials.json"
},
"s3": {
"s3AccessKeyIDName": "AWS_ACCESS_KEY_ID",
"s3SecretAccessKeyName": "AWS_SECRET_ACCESS_KEY"
}
}
explainers: |-
{
"alibi": {
"image" : "kfserving/alibi-explainer",
"defaultImageVersion": "v0.5.1"
},
"aix": {
"image" : "kfserving/aix-explainer",
"defaultImageVersion": "v0.5.1"
},
"art": {
"image" : "kfserving/art-explainer",
"defaultImageVersion": "v0.5.1"
}
}
ingress: |-
{
"ingressGateway" : "kubeflow-gateway.kubeflow",
"ingressService" : "istio-ingressgateway.istio-system.svc.cluster.local",
"localGateway" : "cluster-local-gateway.knative-serving",
"localGatewayService" : "cluster-local-gateway.istio-system.svc.cluster.local"
}
logger: |-
{
"image" : "kfserving/agent:v0.5.1",
"memoryRequest": "100Mi",
"memoryLimit": "1Gi",
"cpuRequest": "100m",
"cpuLimit": "1",
"defaultUrl": "http://default-broker"
}
predictors: |-
{
"tensorflow": {
"image": "tensorflow/serving",
"defaultImageVersion": "1.14.0",
"defaultGpuImageVersion": "1.14.0-gpu",
"defaultTimeout": "60",
"supportedFrameworks": [
"tensorflow"
],
"multiModelServer": false
},
"onnx": {
"image": "mcr.microsoft.com/onnxruntime/server",
"defaultImageVersion": "v1.0.0",
"supportedFrameworks": [
"onnx"
],
"multiModelServer": false
},
"sklearn": {
"v1": {
"image": "registry.cn-shenzhen.aliyuncs.com/tensorbytes/sklearnserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"sklearn"
],
"multiModelServer": false
},
"v2": {
"image": "docker.io/seldonio/mlserver",
"defaultImageVersion": "0.2.1",
"supportedFrameworks": [
"sklearn"
],
"multiModelServer": false
}
},
"xgboost": {
"v1": {
"image": "registry.cn-shenzhen.aliyuncs.com/tensorbytes/xgbserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"xgboost"
],
"multiModelServer": false
},
"v2": {
"image": "docker.io/seldonio/mlserver",
"defaultImageVersion": "0.2.1",
"supportedFrameworks": [
"xgboost"
],
"multiModelServer": false
}
},
"pytorch": {
"v1" : {
"image": "registry.cn-shenzhen.aliyuncs.com/tensorbytes/pytorchserver",
"defaultImageVersion": "v0.5.1",
"defaultGpuImageVersion": "v0.5.1-gpu",
"supportedFrameworks": [
"pytorch"
],
"multiModelServer": false
},
"v2" : {
"image": "kfserving/torchserve-kfs",
"defaultImageVersion": "0.3.0",
"defaultGpuImageVersion": "0.3.0-gpu",
"supportedFrameworks": [
"pytorch"
],
"multiModelServer": false
}
},
"triton": {
"image": "nvcr.io/nvidia/tritonserver",
"defaultImageVersion": "20.08-py3",
"supportedFrameworks": [
"tensorrt",
"tensorflow",
"onnx",
"pytorch",
"caffe2"
],
"multiModelServer": false
},
"pmml": {
"image": "kfserving/pmmlserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"pmml"
],
"multiModelServer": false
},
"lightgbm": {
"image": "kfserving/lgbserver",
"defaultImageVersion": "v0.5.1",
"supportedFrameworks": [
"lightgbm"
],
"multiModelServer": false
}
}
storageInitializer: |-
{
"image" : "registry.cn-shenzhen.aliyuncs.com/tensorbytes/storage-initializer:v0.5.1",
"memoryRequest": "100Mi",
"memoryLimit": "1Gi",
"cpuRequest": "100m",
"cpuLimit": "1"
}
transformers: |-
{
}
kind: ConfigMap
metadata:
labels:
app: kfserving
app.kubernetes.io/component: kfserving
app.kubernetes.io/name: kfserving
kustomize.component: kfserving
name: inferenceservice-config
namespace: kubeflow
================================================
FILE: patch/pipeline-env-platform-agnostic-multi-user.yaml
================================================
apiVersion: v1
data:
sync.py: |
# Copyright 2020-2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from http.server import BaseHTTPRequestHandler, HTTPServer
import json
import os
import base64
kfp_version = os.environ["KFP_VERSION"]
disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true"
mlpipeline_minio_access_key = base64.b64encode(
bytes(os.environ.get("MINIO_ACCESS_KEY"), 'utf-8')).decode('utf-8')
mlpipeline_minio_secret_key = base64.b64encode(
bytes(os.environ.get("MINIO_SECRET_KEY"), 'utf-8')).decode('utf-8')
class Controller(BaseHTTPRequestHandler):
def sync(self, parent, children):
pipeline_enabled = parent.get("metadata", {}).get(
"labels", {}).get("pipelines.kubeflow.org/enabled")
if pipeline_enabled != "true":
return {"status": {}, "children": []}
# Compute status based on observed state.
desired_status = {
"kubeflow-pipelines-ready": \
len(children["Secret.v1"]) == 1 and \
len(children["ConfigMap.v1"]) == 1 and \
len(children["Deployment.apps/v1"]) == 2 and \
len(children["Service.v1"]) == 2 and \
len(children["DestinationRule.networking.istio.io/v1alpha3"]) == 1 and \
len(children["AuthorizationPolicy.security.istio.io/v1beta1"]) == 1 and \
"True" or "False"
}
# Generate the desired child object(s).
# parent is a namespace
namespace = parent.get("metadata", {}).get("name")
desired_resources = [
{
"apiVersion": "v1",
"kind": "ConfigMap",
"metadata": {
"name": "metadata-grpc-configmap",
"namespace": namespace,
},
"data": {
"METADATA_GRPC_SERVICE_HOST":
"metadata-grpc-service.kubeflow",
"METADATA_GRPC_SERVICE_PORT": "8080",
},
},
# Visualization server related manifests below
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"app": "ml-pipeline-visualizationserver"
},
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"selector": {
"matchLabels": {
"app": "ml-pipeline-visualizationserver"
},
},
"template": {
"metadata": {
"labels": {
"app": "ml-pipeline-visualizationserver"
},
"annotations": disable_istio_sidecar and {
"sidecar.istio.io/inject": "false"
} or {},
},
"spec": {
"containers": [{
"image":
"registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-visualization-server:1.5.0-rc.2-03636",
"imagePullPolicy":
"IfNotPresent",
"name":
"ml-pipeline-visualizationserver",
"ports": [{
"containerPort": 8888
}],
"resources": {
"requests": {
"cpu": "50m",
"memory": "200Mi"
},
"limits": {
"cpu": "500m",
"memory": "1Gi"
},
}
}],
"serviceAccountName":
"default-editor",
},
},
},
},
{
"apiVersion": "networking.istio.io/v1alpha3",
"kind": "DestinationRule",
"metadata": {
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"host": "ml-pipeline-visualizationserver",
"trafficPolicy": {
"tls": {
"mode": "ISTIO_MUTUAL"
}
}
}
},
{
"apiVersion": "security.istio.io/v1beta1",
"kind": "AuthorizationPolicy",
"metadata": {
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"selector": {
"matchLabels": {
"app": "ml-pipeline-visualizationserver"
}
},
"rules": [{
"from": [{
"source": {
"principals": ["cluster.local/ns/kubeflow/sa/ml-pipeline"]
}
}]
}]
}
},
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"name": "ml-pipeline-visualizationserver",
"namespace": namespace,
},
"spec": {
"ports": [{
"name": "http",
"port": 8888,
"protocol": "TCP",
"targetPort": 8888,
}],
"selector": {
"app": "ml-pipeline-visualizationserver",
},
},
},
# Artifact fetcher related resources below.
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"labels": {
"app": "ml-pipeline-ui-artifact"
},
"name": "ml-pipeline-ui-artifact",
"namespace": namespace,
},
"spec": {
"selector": {
"matchLabels": {
"app": "ml-pipeline-ui-artifact"
}
},
"template": {
"metadata": {
"labels": {
"app": "ml-pipeline-ui-artifact"
},
"annotations": disable_istio_sidecar and {
"sidecar.istio.io/inject": "false"
} or {},
},
"spec": {
"containers": [{
"name":
"ml-pipeline-ui-artifact",
"image":
"registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-frontend:1.5.0-rc.2-34ae9",
"imagePullPolicy":
"IfNotPresent",
"ports": [{
"containerPort": 3000
}],
"resources": {
"requests": {
"cpu": "10m",
"memory": "70Mi"
},
"limits": {
"cpu": "100m",
"memory": "500Mi"
},
}
}],
"serviceAccountName":
"default-editor"
}
}
}
},
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"name": "ml-pipeline-ui-artifact",
"namespace": namespace,
"labels": {
"app": "ml-pipeline-ui-artifact"
}
},
"spec": {
"ports": [{
"name":
"http", # name is required to let istio understand request protocol
"port": 80,
"protocol": "TCP",
"targetPort": 3000
}],
"selector": {
"app": "ml-pipeline-ui-artifact"
}
}
},
]
print('Received request:', parent)
print('Desired resources except secrets:', desired_resources)
# Moved after the print argument because this is sensitive data.
desired_resources.append({
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": "mlpipeline-minio-artifact",
"namespace": namespace,
},
"data": {
"accesskey": mlpipeline_minio_access_key,
"secretkey": mlpipeline_minio_secret_key,
},
})
return {"status": desired_status, "children": desired_resources}
def do_POST(self):
# Serve the sync() function as a JSON webhook.
observed = json.loads(
self.rfile.read(int(self.headers.get("content-length"))))
desired = self.sync(observed["parent"], observed["children"])
self.send_response(200)
self.send_header("Content-type", "application/json")
self.end_headers()
self.wfile.write(bytes(json.dumps(desired), 'utf-8'))
HTTPServer(("", 8080), Controller).serve_forever()
kind: ConfigMap
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4
namespace: kubeflow
---
apiVersion: v1
data:
appName: pipeline
appVersion: 1.5.0-rc.2
autoUpdatePipelineDefaultVersion: "true"
bucketName: mlpipeline
cacheDb: cachedb
cacheImage: busybox
cronScheduleTimezone: UTC
dbHost: mysql
dbPort: "3306"
mlmdDb: metadb
pipelineDb: mlpipeline
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: pipeline-install-config
namespace: kubeflow
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflow-controller
namespace: kubeflow
spec:
selector:
matchLabels:
app: workflow-controller
application-crd-id: kubeflow-pipelines
template:
metadata:
labels:
app: workflow-controller
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --configmap
- workflow-controller-configmap
- --executor-image
- registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-argoexec:v2.12.9-license-compliance
command:
- workflow-controller
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-workflow-controller:v2.12.9-license-compliance-2d9c1
livenessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 30
periodSeconds: 30
name: workflow-controller
ports:
- containerPort: 9090
name: metrics
resources:
requests:
cpu: 100m
memory: 500Mi
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: argo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: kubeflow-pipelines-profile-controller
namespace: kubeflow
spec:
replicas: 1 # change replica number
selector:
matchLabels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: kubeflow-pipelines-profile-controller
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- command:
- python
- /hooks/sync.py
env:
- name: KFP_VERSION
valueFrom:
configMapKeyRef:
key: appVersion
name: pipeline-install-config
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: mlpipeline-minio-artifact
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: mlpipeline-minio-artifact
envFrom:
- configMapRef:
name: kubeflow-pipelines-profile-controller-env-5252m69c4c
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/python:3.7-3a781
name: profile-controller
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /hooks
name: hooks
volumes:
- configMap:
name: kubeflow-pipelines-profile-controller-code-c2cd68d9k4
name: hooks
================================================
FILE: patch/tensorboard.yaml
================================================
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
name: tensorboards-web-app-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: tensorboards-web-app
kustomize.component: tensorboards-web-app
spec:
containers:
- env:
- name: APP_PREFIX
value: /tensorboards
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
- name: APP_SECURE_COOKIES
value: "False"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-tensorboards-web-app:v1.3.0-rc.0-258dd
name: tensorboards-web-app
ports:
- containerPort: 5000
serviceAccountName: tensorboards-web-app-service-account
================================================
FILE: patch/volumes-web-app.yaml
================================================
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
name: volumes-web-app-deployment
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: volumes-web-app
kustomize.component: volumes-web-app
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: volumes-web-app
kustomize.component: volumes-web-app
spec:
containers:
- env:
- name: APP_PREFIX
value: /volumes
- name: USERID_HEADER
value: kubeflow-userid
- name: USERID_PREFIX
value: ""
- name: APP_SECURE_COOKIES
value: "False"
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/notebooks-volumes-web-app:v1.3.0-rc.0-fe235
name: volumes-web-app
ports:
- containerPort: 5000
serviceAccountName: volumes-web-app-service-account
================================================
FILE: patch/workflow-controller.yaml
================================================
apiVersion: v1
data:
artifactRepository: |
archiveLogs: true
s3:
endpoint: "minio-service.kubeflow:9000"
bucket: "mlpipeline"
keyFormat: "artifacts/{{workflow.name}}/{{pod.name}}"
# insecure will disable TLS. Primarily used for minio installs not configured with TLS
insecure: true
accessKeySecret:
name: mlpipeline-minio-artifact
key: accesskey
secretKeySecret:
name: mlpipeline-minio-artifact
key: secretkey
containerRuntimeExecutor: k8sapi
kind: ConfigMap
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflow-controller-configmap
namespace: kubeflow
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application-crd-id: kubeflow-pipelines
name: workflow-controller
namespace: kubeflow
spec:
selector:
matchLabels:
app: workflow-controller
application-crd-id: kubeflow-pipelines
template:
metadata:
labels:
app: workflow-controller
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --configmap
- workflow-controller-configmap
- --executor-image
- registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-argoexec:v2.12.9-license-compliance
command:
- workflow-controller
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-workflow-controller:v2.12.9-license-compliance-2d9c1
livenessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 30
periodSeconds: 30
name: workflow-controller
ports:
- containerPort: 9090
name: metrics
resources:
requests:
cpu: 100m
memory: 500Mi
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: argo
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
name: cache-server
namespace: kubeflow
spec:
replicas: 1
selector:
matchLabels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
template:
metadata:
labels:
app: cache-server
app.kubernetes.io/component: ml-pipeline
app.kubernetes.io/name: kubeflow-pipelines
application-crd-id: kubeflow-pipelines
spec:
containers:
- args:
- --db_driver=$(DBCONFIG_DRIVER)
- --db_host=$(DBCONFIG_HOST_NAME)
- --db_port=$(DBCONFIG_PORT)
- --db_name=$(DBCONFIG_DB_NAME)
- --db_user=$(DBCONFIG_USER)
- --db_password=$(DBCONFIG_PASSWORD)
- --namespace_to_watch=$(NAMESPACE_TO_WATCH)
env:
- name: NAMESPACE_TO_WATCH
value: ""
- name: CACHE_IMAGE
valueFrom:
configMapKeyRef:
key: cacheImage
name: pipeline-install-config
- name: DBCONFIG_DRIVER
value: mysql
- name: DBCONFIG_DB_NAME
valueFrom:
configMapKeyRef:
key: cacheDb
name: pipeline-install-config
- name: DBCONFIG_HOST_NAME
valueFrom:
configMapKeyRef:
key: dbHost
name: pipeline-install-config
- name: DBCONFIG_PORT
valueFrom:
configMapKeyRef:
key: dbPort
name: pipeline-install-config
- name: DBCONFIG_USER
valueFrom:
secretKeyRef:
key: username
name: mysql-secret
- name: DBCONFIG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysql-secret
image: registry.cn-shenzhen.aliyuncs.com/tensorbytes/ml-pipeline-cache-server:1.5.0-rc.2-a44df
imagePullPolicy: Always
name: server
ports:
- containerPort: 8443
name: webhook-api
volumeMounts:
- mountPath: /etc/webhook/certs
name: webhook-tls-certs
readOnly: true
serviceAccountName: kubeflow-pipelines-cache
volumes:
- name: webhook-tls-certs
secret:
secretName: webhook-server-tls
================================================
FILE: pre-install.py
================================================
#!/bin/python
#coding:utf-8
import os
import shlex
import yaml
from yaml import CLoader
from replace import replaceImage
import subprocess
mainfile = "kustomization.yaml"
with open(mainfile, "r") as fr:
kustomizefile = yaml.load(fr,Loader=CLoader)
n = 0
for path in kustomizefile['resources']:
n = n + 1
abspath = os.path.abspath(path)
abspath = abspath.replace("\\","/")
filename = "-".join([path.split("/")[2]]+path.split("/")[-2:])
cmd = "kustomize build --load_restrictor=none {path}".format(path=path)
print(cmd)
p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE)
out = p.stdout.read()
if out == "":
raise ValueError(cmd)
filename = str(n).zfill(3) + "-" + filename +".yaml"
out = replaceImage(out.decode("utf-8"))
with open("file/"+ filename, "w", encoding="utf-8") as fw:
fw.write(out)
================================================
FILE: replace.py
================================================
#!/bin/python
#coding:utf-8
import yaml
import os
import subprocess
import sys
import json
IMAGE_PREFIX = "registry.cn-shenzhen.aliyuncs.com/tensorbytes/"
def getNewImage(image, prefix):
# get hash of image
cmd = "docker inspect "+image
print(cmd)
p = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE)
out = p.stdout.read()
out = json.loads(out)[0]
imagehash = out["Id"].split(":")[-1][:5]
pending = "-" + imagehash
# change image to new tag
app = image.split("/")[-1]
if len(image.split("/")) > 1:
org = image.split("/")[-2]
app = org + "-" + app
if ":" in app:
if "@sha256:" in app:
appname = app.split("@")[0]
appversion = "special"
else:
appversion = app.split(":")[-1]
appname = app.split(":")[0]
else:
appname = app
appversion = "latest"
newImage = prefix + appname + ":" + appversion + pending
return newImage
def findDeploymentImage(content):
crs = content.split("---\n")
images = dict()
for cr in crs:
if len(cr) < 0:
continue
obj = yaml.load(cr, yaml.CLoader)
if obj is None or "kind" not in obj:
continue
if obj["kind"] == "Deployment" or obj["kind"] == "StatefulSet":
containers = obj["spec"]["template"]["spec"]["containers"]
for c in containers:
obj_image = c["image"]
cmdPull = "docker pull {image}".format(image=obj_image)
os.system(cmdPull)
newimage = getNewImage(obj_image, IMAGE_PREFIX)
images[obj_image] = newimage
return images
def replaceImage(content):
imageMap = findDeploymentImage(content)
for image in imageMap:
content = content.replace(image,imageMap[image])
logAndPushImage(imageMap)
return content
def logAndPushImage(imageMap):
with open("images.log","a") as fw:
for image in imageMap:
# pull image
cmdPull = "docker pull {image}".format(image=image)
# tag image
cmdTag = "docker tag {oldimage} {newimage}".format(oldimage=image, newimage=imageMap[image])
# push new images
cmdPush = "docker push {image}".format(image=imageMap[image])
print(cmdPush)
os.system(cmdTag)
os.system(cmdPush)
# log
line = image + "\t" + imageMap[image]
fw.write(line+"\n")
if __name__ == "__main__":
with open("./file/023-jupyter-overlays-kubeflow.yaml") as fr:
images = replaceImage(fr.read())
# print(images)
================================================
FILE: replaceVolumes.py
================================================
#!/bin/python
#coding:utf-8
import os
import yaml
def findVolumeDeployment(content):
crs = content.split("---\n")
images = dict()
for cr in crs:
if len(cr) < 0:
continue
obj = yaml.load(cr, yaml.CLoader)
if obj is None or "kind" not in obj:
continue
if obj["kind"] == "Deployment":
specs = obj["spec"]["template"]["spec"]
if "volumes" in specs:
for v in specs["volumes"]:
if "persistentVolumeClaim" in v:
del v["persistentVolumeClaim"]
v ["emptyDir"] = dict()
yield v["name"],cr
def savePatchPath(content,filename):
path = "./patch/" + filename + ".yaml"
with open(path,"w") as fw:
fw.write(content)
if __name__ == "__main__":
for root,path,files in os.walk("./file"):
for f in files:
findfile = root + "/" + f
with open(findfile,"r",encoding="utf-8") as fr:
for name,cr in findVolumeDeployment(fr.read()):
print(name)
print(cr)
savePatchPath(cr, name)