13286 lines
989 kB
1
# Copyright 2022 The cert-manager Authors.
2
#
3
# Licensed under the Apache License, Version 2.0 (the "License");
4
# you may not use this file except in compliance with the License.
5
# You may obtain a copy of the License at
6
#
7
# http://www.apache.org/licenses/LICENSE-2.0
8
#
9
# Unless required by applicable law or agreed to in writing, software
10
# distributed under the License is distributed on an "AS IS" BASIS,
11
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
# See the License for the specific language governing permissions and
13
# limitations under the License.
14
15
apiVersion: v1
16
kind: Namespace
17
metadata:
18
name: cert-manager
19
20
---
21
# Source: cert-manager/templates/crds.yaml
22
#
23
# START crd
24
apiVersion: apiextensions.k8s.io/v1
25
kind: CustomResourceDefinition
26
metadata:
27
name: certificaterequests.cert-manager.io
28
# START annotations
29
annotations:
30
helm.sh/resource-policy: keep
31
# END annotations
32
labels:
33
app: 'cert-manager'
34
app.kubernetes.io/name: 'cert-manager'
35
app.kubernetes.io/instance: 'cert-manager'
36
# Generated labels
37
app.kubernetes.io/version: "v1.17.0"
38
spec:
39
group: cert-manager.io
40
names:
41
kind: CertificateRequest
42
listKind: CertificateRequestList
43
plural: certificaterequests
44
shortNames:
45
- cr
46
- crs
47
singular: certificaterequest
48
categories:
49
- cert-manager
50
scope: Namespaced
51
versions:
52
- name: v1
53
subresources:
54
status: {}
55
additionalPrinterColumns:
56
- jsonPath: .status.conditions[?(@.type=="Approved")].status
57
name: Approved
58
type: string
59
- jsonPath: .status.conditions[?(@.type=="Denied")].status
60
name: Denied
61
type: string
62
- jsonPath: .status.conditions[?(@.type=="Ready")].status
63
name: Ready
64
type: string
65
- jsonPath: .spec.issuerRef.name
66
name: Issuer
67
type: string
68
- jsonPath: .spec.username
69
name: Requester
70
type: string
71
- jsonPath: .status.conditions[?(@.type=="Ready")].message
72
name: Status
73
priority: 1
74
type: string
75
- jsonPath: .metadata.creationTimestamp
76
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
77
name: Age
78
type: date
79
schema:
80
openAPIV3Schema:
81
description: |-
82
A CertificateRequest is used to request a signed certificate from one of the
83
configured issuers.
84
85
All fields within the CertificateRequest's `spec` are immutable after creation.
86
A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
87
condition and its `status.failureTime` field.
88
89
A CertificateRequest is a one-shot resource, meaning it represents a single
90
point in time request for a certificate and cannot be re-used.
91
type: object
92
properties:
93
apiVersion:
94
description: |-
95
APIVersion defines the versioned schema of this representation of an object.
96
Servers should convert recognized schemas to the latest internal value, and
97
may reject unrecognized values.
98
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
99
type: string
100
kind:
101
description: |-
102
Kind is a string value representing the REST resource this object represents.
103
Servers may infer this from the endpoint the client submits requests to.
104
Cannot be updated.
105
In CamelCase.
106
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
107
type: string
108
metadata:
109
type: object
110
spec:
111
description: |-
112
Specification of the desired state of the CertificateRequest resource.
113
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
114
type: object
115
required:
116
- issuerRef
117
- request
118
properties:
119
duration:
120
description: |-
121
Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
122
issuer may choose to ignore the requested duration, just like any other
123
requested attribute.
124
type: string
125
extra:
126
description: |-
127
Extra contains extra attributes of the user that created the CertificateRequest.
128
Populated by the cert-manager webhook on creation and immutable.
129
type: object
130
additionalProperties:
131
type: array
132
items:
133
type: string
134
groups:
135
description: |-
136
Groups contains group membership of the user that created the CertificateRequest.
137
Populated by the cert-manager webhook on creation and immutable.
138
type: array
139
items:
140
type: string
141
x-kubernetes-list-type: atomic
142
isCA:
143
description: |-
144
Requested basic constraints isCA value. Note that the issuer may choose
145
to ignore the requested isCA value, just like any other requested attribute.
146
147
NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
148
it must have the same isCA value as specified here.
149
150
If true, this will automatically add the `cert sign` usage to the list
151
of requested `usages`.
152
type: boolean
153
issuerRef:
154
description: |-
155
Reference to the issuer responsible for issuing the certificate.
156
If the issuer is namespace-scoped, it must be in the same namespace
157
as the Certificate. If the issuer is cluster-scoped, it can be used
158
from any namespace.
159
160
The `name` field of the reference must always be specified.
161
type: object
162
required:
163
- name
164
properties:
165
group:
166
description: Group of the resource being referred to.
167
type: string
168
kind:
169
description: Kind of the resource being referred to.
170
type: string
171
name:
172
description: Name of the resource being referred to.
173
type: string
174
request:
175
description: |-
176
The PEM-encoded X.509 certificate signing request to be submitted to the
177
issuer for signing.
178
179
If the CSR has a BasicConstraints extension, its isCA attribute must
180
match the `isCA` value of this CertificateRequest.
181
If the CSR has a KeyUsage extension, its key usages must match the
182
key usages in the `usages` field of this CertificateRequest.
183
If the CSR has a ExtKeyUsage extension, its extended key usages
184
must match the extended key usages in the `usages` field of this
185
CertificateRequest.
186
type: string
187
format: byte
188
uid:
189
description: |-
190
UID contains the uid of the user that created the CertificateRequest.
191
Populated by the cert-manager webhook on creation and immutable.
192
type: string
193
usages:
194
description: |-
195
Requested key usages and extended key usages.
196
197
NOTE: If the CSR in the `Request` field has uses the KeyUsage or
198
ExtKeyUsage extension, these extensions must have the same values
199
as specified here without any additional values.
200
201
If unset, defaults to `digital signature` and `key encipherment`.
202
type: array
203
items:
204
description: |-
205
KeyUsage specifies valid usage contexts for keys.
206
See:
207
https://tools.ietf.org/html/rfc5280#section-4.2.1.3
208
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
209
210
Valid KeyUsage values are as follows:
211
"signing",
212
"digital signature",
213
"content commitment",
214
"key encipherment",
215
"key agreement",
216
"data encipherment",
217
"cert sign",
218
"crl sign",
219
"encipher only",
220
"decipher only",
221
"any",
222
"server auth",
223
"client auth",
224
"code signing",
225
"email protection",
226
"s/mime",
227
"ipsec end system",
228
"ipsec tunnel",
229
"ipsec user",
230
"timestamping",
231
"ocsp signing",
232
"microsoft sgc",
233
"netscape sgc"
234
type: string
235
enum:
236
- signing
237
- digital signature
238
- content commitment
239
- key encipherment
240
- key agreement
241
- data encipherment
242
- cert sign
243
- crl sign
244
- encipher only
245
- decipher only
246
- any
247
- server auth
248
- client auth
249
- code signing
250
- email protection
251
- s/mime
252
- ipsec end system
253
- ipsec tunnel
254
- ipsec user
255
- timestamping
256
- ocsp signing
257
- microsoft sgc
258
- netscape sgc
259
username:
260
description: |-
261
Username contains the name of the user that created the CertificateRequest.
262
Populated by the cert-manager webhook on creation and immutable.
263
type: string
264
status:
265
description: |-
266
Status of the CertificateRequest.
267
This is set and managed automatically.
268
Read-only.
269
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
270
type: object
271
properties:
272
ca:
273
description: |-
274
The PEM encoded X.509 certificate of the signer, also known as the CA
275
(Certificate Authority).
276
This is set on a best-effort basis by different issuers.
277
If not set, the CA is assumed to be unknown/not available.
278
type: string
279
format: byte
280
certificate:
281
description: |-
282
The PEM encoded X.509 certificate resulting from the certificate
283
signing request.
284
If not set, the CertificateRequest has either not been completed or has
285
failed. More information on failure can be found by checking the
286
`conditions` field.
287
type: string
288
format: byte
289
conditions:
290
description: |-
291
List of status conditions to indicate the status of a CertificateRequest.
292
Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
293
type: array
294
items:
295
description: CertificateRequestCondition contains condition information for a CertificateRequest.
296
type: object
297
required:
298
- status
299
- type
300
properties:
301
lastTransitionTime:
302
description: |-
303
LastTransitionTime is the timestamp corresponding to the last status
304
change of this condition.
305
type: string
306
format: date-time
307
message:
308
description: |-
309
Message is a human readable description of the details of the last
310
transition, complementing reason.
311
type: string
312
reason:
313
description: |-
314
Reason is a brief machine readable explanation for the condition's last
315
transition.
316
type: string
317
status:
318
description: Status of the condition, one of (`True`, `False`, `Unknown`).
319
type: string
320
enum:
321
- "True"
322
- "False"
323
- Unknown
324
type:
325
description: |-
326
Type of the condition, known values are (`Ready`, `InvalidRequest`,
327
`Approved`, `Denied`).
328
type: string
329
x-kubernetes-list-map-keys:
330
- type
331
x-kubernetes-list-type: map
332
failureTime:
333
description: |-
334
FailureTime stores the time that this CertificateRequest failed. This is
335
used to influence garbage collection and back-off.
336
type: string
337
format: date-time
338
served: true
339
storage: true
340
341
# END crd
342
---
343
# Source: cert-manager/templates/crds.yaml
344
# START crd
345
apiVersion: apiextensions.k8s.io/v1
346
kind: CustomResourceDefinition
347
metadata:
348
name: certificates.cert-manager.io
349
# START annotations
350
annotations:
351
helm.sh/resource-policy: keep
352
# END annotations
353
labels:
354
app: 'cert-manager'
355
app.kubernetes.io/name: 'cert-manager'
356
app.kubernetes.io/instance: 'cert-manager'
357
# Generated labels
358
app.kubernetes.io/version: "v1.17.0"
359
spec:
360
group: cert-manager.io
361
names:
362
kind: Certificate
363
listKind: CertificateList
364
plural: certificates
365
shortNames:
366
- cert
367
- certs
368
singular: certificate
369
categories:
370
- cert-manager
371
scope: Namespaced
372
versions:
373
- name: v1
374
subresources:
375
status: {}
376
additionalPrinterColumns:
377
- jsonPath: .status.conditions[?(@.type=="Ready")].status
378
name: Ready
379
type: string
380
- jsonPath: .spec.secretName
381
name: Secret
382
type: string
383
- jsonPath: .spec.issuerRef.name
384
name: Issuer
385
priority: 1
386
type: string
387
- jsonPath: .status.conditions[?(@.type=="Ready")].message
388
name: Status
389
priority: 1
390
type: string
391
- jsonPath: .metadata.creationTimestamp
392
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
393
name: Age
394
type: date
395
schema:
396
openAPIV3Schema:
397
description: |-
398
A Certificate resource should be created to ensure an up to date and signed
399
X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
400
401
The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
402
type: object
403
properties:
404
apiVersion:
405
description: |-
406
APIVersion defines the versioned schema of this representation of an object.
407
Servers should convert recognized schemas to the latest internal value, and
408
may reject unrecognized values.
409
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
410
type: string
411
kind:
412
description: |-
413
Kind is a string value representing the REST resource this object represents.
414
Servers may infer this from the endpoint the client submits requests to.
415
Cannot be updated.
416
In CamelCase.
417
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
418
type: string
419
metadata:
420
type: object
421
spec:
422
description: |-
423
Specification of the desired state of the Certificate resource.
424
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
425
type: object
426
required:
427
- issuerRef
428
- secretName
429
properties:
430
additionalOutputFormats:
431
description: |-
432
Defines extra output formats of the private key and signed certificate chain
433
to be written to this Certificate's target Secret.
434
435
This is a Beta Feature enabled by default. It can be disabled with the
436
`--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
437
the controller and webhook components.
438
type: array
439
items:
440
description: |-
441
CertificateAdditionalOutputFormat defines an additional output format of a
442
Certificate resource. These contain supplementary data formats of the signed
443
certificate chain and paired private key.
444
type: object
445
required:
446
- type
447
properties:
448
type:
449
description: |-
450
Type is the name of the format type that should be written to the
451
Certificate's target Secret.
452
type: string
453
enum:
454
- DER
455
- CombinedPEM
456
commonName:
457
description: |-
458
Requested common name X509 certificate subject attribute.
459
More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
460
NOTE: TLS clients will ignore this value when any subject alternative name is
461
set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
462
463
Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
464
Cannot be set if the `literalSubject` field is set.
465
type: string
466
dnsNames:
467
description: Requested DNS subject alternative names.
468
type: array
469
items:
470
type: string
471
duration:
472
description: |-
473
Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
474
issuer may choose to ignore the requested duration, just like any other
475
requested attribute.
476
477
If unset, this defaults to 90 days.
478
Minimum accepted duration is 1 hour.
479
Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
480
type: string
481
emailAddresses:
482
description: Requested email subject alternative names.
483
type: array
484
items:
485
type: string
486
encodeUsagesInRequest:
487
description: |-
488
Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
489
490
This option defaults to true, and should only be disabled if the target
491
issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
492
type: boolean
493
ipAddresses:
494
description: Requested IP address subject alternative names.
495
type: array
496
items:
497
type: string
498
isCA:
499
description: |-
500
Requested basic constraints isCA value.
501
The isCA value is used to set the `isCA` field on the created CertificateRequest
502
resources. Note that the issuer may choose to ignore the requested isCA value, just
503
like any other requested attribute.
504
505
If true, this will automatically add the `cert sign` usage to the list
506
of requested `usages`.
507
type: boolean
508
issuerRef:
509
description: |-
510
Reference to the issuer responsible for issuing the certificate.
511
If the issuer is namespace-scoped, it must be in the same namespace
512
as the Certificate. If the issuer is cluster-scoped, it can be used
513
from any namespace.
514
515
The `name` field of the reference must always be specified.
516
type: object
517
required:
518
- name
519
properties:
520
group:
521
description: Group of the resource being referred to.
522
type: string
523
kind:
524
description: Kind of the resource being referred to.
525
type: string
526
name:
527
description: Name of the resource being referred to.
528
type: string
529
keystores:
530
description: Additional keystore output formats to be stored in the Certificate's Secret.
531
type: object
532
properties:
533
jks:
534
description: |-
535
JKS configures options for storing a JKS keystore in the
536
`spec.secretName` Secret resource.
537
type: object
538
required:
539
- create
540
properties:
541
alias:
542
description: |-
543
Alias specifies the alias of the key in the keystore, required by the JKS format.
544
If not provided, the default alias `certificate` will be used.
545
type: string
546
create:
547
description: |-
548
Create enables JKS keystore creation for the Certificate.
549
If true, a file named `keystore.jks` will be created in the target
550
Secret resource, encrypted using the password stored in
551
`passwordSecretRef` or `password`.
552
The keystore file will be updated immediately.
553
If the issuer provided a CA certificate, a file named `truststore.jks`
554
will also be created in the target Secret resource, encrypted using the
555
password stored in `passwordSecretRef`
556
containing the issuing Certificate Authority
557
type: boolean
558
password:
559
description: |-
560
Password provides a literal password used to encrypt the JKS keystore.
561
Mutually exclusive with passwordSecretRef.
562
One of password or passwordSecretRef must provide a password with a non-zero length.
563
type: string
564
passwordSecretRef:
565
description: |-
566
PasswordSecretRef is a reference to a non-empty key in a Secret resource
567
containing the password used to encrypt the JKS keystore.
568
Mutually exclusive with password.
569
One of password or passwordSecretRef must provide a password with a non-zero length.
570
type: object
571
required:
572
- name
573
properties:
574
key:
575
description: |-
576
The key of the entry in the Secret resource's `data` field to be used.
577
Some instances of this field may be defaulted, in others it may be
578
required.
579
type: string
580
name:
581
description: |-
582
Name of the resource being referred to.
583
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
584
type: string
585
pkcs12:
586
description: |-
587
PKCS12 configures options for storing a PKCS12 keystore in the
588
`spec.secretName` Secret resource.
589
type: object
590
required:
591
- create
592
properties:
593
create:
594
description: |-
595
Create enables PKCS12 keystore creation for the Certificate.
596
If true, a file named `keystore.p12` will be created in the target
597
Secret resource, encrypted using the password stored in
598
`passwordSecretRef` or in `password`.
599
The keystore file will be updated immediately.
600
If the issuer provided a CA certificate, a file named `truststore.p12` will
601
also be created in the target Secret resource, encrypted using the
602
password stored in `passwordSecretRef` containing the issuing Certificate
603
Authority
604
type: boolean
605
password:
606
description: |-
607
Password provides a literal password used to encrypt the PKCS#12 keystore.
608
Mutually exclusive with passwordSecretRef.
609
One of password or passwordSecretRef must provide a password with a non-zero length.
610
type: string
611
passwordSecretRef:
612
description: |-
613
PasswordSecretRef is a reference to a non-empty key in a Secret resource
614
containing the password used to encrypt the PKCS#12 keystore.
615
Mutually exclusive with password.
616
One of password or passwordSecretRef must provide a password with a non-zero length.
617
type: object
618
required:
619
- name
620
properties:
621
key:
622
description: |-
623
The key of the entry in the Secret resource's `data` field to be used.
624
Some instances of this field may be defaulted, in others it may be
625
required.
626
type: string
627
name:
628
description: |-
629
Name of the resource being referred to.
630
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
631
type: string
632
profile:
633
description: |-
634
Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
635
used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
636
637
If provided, allowed values are:
638
`LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
639
`LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
640
`Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
641
(eg. because of company policy). Please note that the security of the algorithm is not that important
642
in reality, because the unencrypted certificate and private key are also stored in the Secret.
643
type: string
644
enum:
645
- LegacyRC2
646
- LegacyDES
647
- Modern2023
648
literalSubject:
649
description: |-
650
Requested X.509 certificate subject, represented using the LDAP "String
651
Representation of a Distinguished Name" [1].
652
Important: the LDAP string format also specifies the order of the attributes
653
in the subject, this is important when issuing certs for LDAP authentication.
654
Example: `CN=foo,DC=corp,DC=example,DC=com`
655
More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
656
More info: https://github.com/cert-manager/cert-manager/issues/3203
657
More info: https://github.com/cert-manager/cert-manager/issues/4424
658
659
Cannot be set if the `subject` or `commonName` field is set.
660
type: string
661
nameConstraints:
662
description: |-
663
x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
664
More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
665
666
This is an Alpha Feature and is only enabled with the
667
`--feature-gates=NameConstraints=true` option set on both
668
the controller and webhook components.
669
type: object
670
properties:
671
critical:
672
description: if true then the name constraints are marked critical.
673
type: boolean
674
excluded:
675
description: |-
676
Excluded contains the constraints which must be disallowed. Any name matching a
677
restriction in the excluded field is invalid regardless
678
of information appearing in the permitted
679
type: object
680
properties:
681
dnsDomains:
682
description: DNSDomains is a list of DNS domains that are permitted or excluded.
683
type: array
684
items:
685
type: string
686
emailAddresses:
687
description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
688
type: array
689
items:
690
type: string
691
ipRanges:
692
description: |-
693
IPRanges is a list of IP Ranges that are permitted or excluded.
694
This should be a valid CIDR notation.
695
type: array
696
items:
697
type: string
698
uriDomains:
699
description: URIDomains is a list of URI domains that are permitted or excluded.
700
type: array
701
items:
702
type: string
703
permitted:
704
description: Permitted contains the constraints in which the names must be located.
705
type: object
706
properties:
707
dnsDomains:
708
description: DNSDomains is a list of DNS domains that are permitted or excluded.
709
type: array
710
items:
711
type: string
712
emailAddresses:
713
description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
714
type: array
715
items:
716
type: string
717
ipRanges:
718
description: |-
719
IPRanges is a list of IP Ranges that are permitted or excluded.
720
This should be a valid CIDR notation.
721
type: array
722
items:
723
type: string
724
uriDomains:
725
description: URIDomains is a list of URI domains that are permitted or excluded.
726
type: array
727
items:
728
type: string
729
otherNames:
730
description: |-
731
`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
732
Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
733
Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
734
You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
735
type: array
736
items:
737
type: object
738
properties:
739
oid:
740
description: |-
741
OID is the object identifier for the otherName SAN.
742
The object identifier must be expressed as a dotted string, for
743
example, "1.2.840.113556.1.4.221".
744
type: string
745
utf8Value:
746
description: |-
747
utf8Value is the string value of the otherName SAN.
748
The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
749
type: string
750
privateKey:
751
description: |-
752
Private key options. These include the key algorithm and size, the used
753
encoding and the rotation policy.
754
type: object
755
properties:
756
algorithm:
757
description: |-
758
Algorithm is the private key algorithm of the corresponding private key
759
for this certificate.
760
761
If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
762
If `algorithm` is specified and `size` is not provided,
763
key size of 2048 will be used for `RSA` key algorithm and
764
key size of 256 will be used for `ECDSA` key algorithm.
765
key size is ignored when using the `Ed25519` key algorithm.
766
type: string
767
enum:
768
- RSA
769
- ECDSA
770
- Ed25519
771
encoding:
772
description: |-
773
The private key cryptography standards (PKCS) encoding for this
774
certificate's private key to be encoded in.
775
776
If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
777
and PKCS#8, respectively.
778
Defaults to `PKCS1` if not specified.
779
type: string
780
enum:
781
- PKCS1
782
- PKCS8
783
rotationPolicy:
784
description: |-
785
RotationPolicy controls how private keys should be regenerated when a
786
re-issuance is being processed.
787
788
If set to `Never`, a private key will only be generated if one does not
789
already exist in the target `spec.secretName`. If one does exist but it
790
does not have the correct algorithm or size, a warning will be raised
791
to await user intervention.
792
If set to `Always`, a private key matching the specified requirements
793
will be generated whenever a re-issuance occurs.
794
Default is `Never` for backward compatibility.
795
type: string
796
enum:
797
- Never
798
- Always
799
size:
800
description: |-
801
Size is the key bit size of the corresponding private key for this certificate.
802
803
If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
804
and will default to `2048` if not specified.
805
If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
806
and will default to `256` if not specified.
807
If `algorithm` is set to `Ed25519`, Size is ignored.
808
No other values are allowed.
809
type: integer
810
renewBefore:
811
description: |-
812
How long before the currently issued certificate's expiry cert-manager should
813
renew the certificate. For example, if a certificate is valid for 60 minutes,
814
and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
815
50 minutes after it was issued (i.e. when there are 10 minutes remaining until
816
the certificate is no longer valid).
817
818
NOTE: The actual lifetime of the issued certificate is used to determine the
819
renewal time. If an issuer returns a certificate with a different lifetime than
820
the one requested, cert-manager will use the lifetime of the issued certificate.
821
822
If unset, this defaults to 1/3 of the issued certificate's lifetime.
823
Minimum accepted value is 5 minutes.
824
Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
825
Cannot be set if the `renewBeforePercentage` field is set.
826
type: string
827
renewBeforePercentage:
828
description: |-
829
`renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
830
rather than an absolute duration. For example, if a certificate is valid for 60
831
minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to
832
renew the certificate 45 minutes after it was issued (i.e. when there are 15
833
minutes (25%) remaining until the certificate is no longer valid).
834
835
NOTE: The actual lifetime of the issued certificate is used to determine the
836
renewal time. If an issuer returns a certificate with a different lifetime than
837
the one requested, cert-manager will use the lifetime of the issued certificate.
838
839
Value must be an integer in the range (0,100). The minimum effective
840
`renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
841
minutes.
842
Cannot be set if the `renewBefore` field is set.
843
type: integer
844
format: int32
845
revisionHistoryLimit:
846
description: |-
847
The maximum number of CertificateRequest revisions that are maintained in
848
the Certificate's history. Each revision represents a single `CertificateRequest`
849
created by this Certificate, either when it was created, renewed, or Spec
850
was changed. Revisions will be removed by oldest first if the number of
851
revisions exceeds this number.
852
853
If set, revisionHistoryLimit must be a value of `1` or greater.
854
If unset (`nil`), revisions will not be garbage collected.
855
Default value is `nil`.
856
type: integer
857
format: int32
858
secretName:
859
description: |-
860
Name of the Secret resource that will be automatically created and
861
managed by this Certificate resource. It will be populated with a
862
private key and certificate, signed by the denoted issuer. The Secret
863
resource lives in the same namespace as the Certificate resource.
864
type: string
865
secretTemplate:
866
description: |-
867
Defines annotations and labels to be copied to the Certificate's Secret.
868
Labels and annotations on the Secret will be changed as they appear on the
869
SecretTemplate when added or removed. SecretTemplate annotations are added
870
in conjunction with, and cannot overwrite, the base set of annotations
871
cert-manager sets on the Certificate's Secret.
872
type: object
873
properties:
874
annotations:
875
description: Annotations is a key value map to be copied to the target Kubernetes Secret.
876
type: object
877
additionalProperties:
878
type: string
879
labels:
880
description: Labels is a key value map to be copied to the target Kubernetes Secret.
881
type: object
882
additionalProperties:
883
type: string
884
subject:
885
description: |-
886
Requested set of X509 certificate subject attributes.
887
More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
888
889
The common name attribute is specified separately in the `commonName` field.
890
Cannot be set if the `literalSubject` field is set.
891
type: object
892
properties:
893
countries:
894
description: Countries to be used on the Certificate.
895
type: array
896
items:
897
type: string
898
localities:
899
description: Cities to be used on the Certificate.
900
type: array
901
items:
902
type: string
903
organizationalUnits:
904
description: Organizational Units to be used on the Certificate.
905
type: array
906
items:
907
type: string
908
organizations:
909
description: Organizations to be used on the Certificate.
910
type: array
911
items:
912
type: string
913
postalCodes:
914
description: Postal codes to be used on the Certificate.
915
type: array
916
items:
917
type: string
918
provinces:
919
description: State/Provinces to be used on the Certificate.
920
type: array
921
items:
922
type: string
923
serialNumber:
924
description: Serial number to be used on the Certificate.
925
type: string
926
streetAddresses:
927
description: Street addresses to be used on the Certificate.
928
type: array
929
items:
930
type: string
931
uris:
932
description: Requested URI subject alternative names.
933
type: array
934
items:
935
type: string
936
usages:
937
description: |-
938
Requested key usages and extended key usages.
939
These usages are used to set the `usages` field on the created CertificateRequest
940
resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
941
will additionally be encoded in the `request` field which contains the CSR blob.
942
943
If unset, defaults to `digital signature` and `key encipherment`.
944
type: array
945
items:
946
description: |-
947
KeyUsage specifies valid usage contexts for keys.
948
See:
949
https://tools.ietf.org/html/rfc5280#section-4.2.1.3
950
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
951
952
Valid KeyUsage values are as follows:
953
"signing",
954
"digital signature",
955
"content commitment",
956
"key encipherment",
957
"key agreement",
958
"data encipherment",
959
"cert sign",
960
"crl sign",
961
"encipher only",
962
"decipher only",
963
"any",
964
"server auth",
965
"client auth",
966
"code signing",
967
"email protection",
968
"s/mime",
969
"ipsec end system",
970
"ipsec tunnel",
971
"ipsec user",
972
"timestamping",
973
"ocsp signing",
974
"microsoft sgc",
975
"netscape sgc"
976
type: string
977
enum:
978
- signing
979
- digital signature
980
- content commitment
981
- key encipherment
982
- key agreement
983
- data encipherment
984
- cert sign
985
- crl sign
986
- encipher only
987
- decipher only
988
- any
989
- server auth
990
- client auth
991
- code signing
992
- email protection
993
- s/mime
994
- ipsec end system
995
- ipsec tunnel
996
- ipsec user
997
- timestamping
998
- ocsp signing
999
- microsoft sgc
1000
- netscape sgc
1001
status:
1002
description: |-
1003
Status of the Certificate.
1004
This is set and managed automatically.
1005
Read-only.
1006
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
1007
type: object
1008
properties:
1009
conditions:
1010
description: |-
1011
List of status conditions to indicate the status of certificates.
1012
Known condition types are `Ready` and `Issuing`.
1013
type: array
1014
items:
1015
description: CertificateCondition contains condition information for a Certificate.
1016
type: object
1017
required:
1018
- status
1019
- type
1020
properties:
1021
lastTransitionTime:
1022
description: |-
1023
LastTransitionTime is the timestamp corresponding to the last status
1024
change of this condition.
1025
type: string
1026
format: date-time
1027
message:
1028
description: |-
1029
Message is a human readable description of the details of the last
1030
transition, complementing reason.
1031
type: string
1032
observedGeneration:
1033
description: |-
1034
If set, this represents the .metadata.generation that the condition was
1035
set based upon.
1036
For instance, if .metadata.generation is currently 12, but the
1037
.status.condition[x].observedGeneration is 9, the condition is out of date
1038
with respect to the current state of the Certificate.
1039
type: integer
1040
format: int64
1041
reason:
1042
description: |-
1043
Reason is a brief machine readable explanation for the condition's last
1044
transition.
1045
type: string
1046
status:
1047
description: Status of the condition, one of (`True`, `False`, `Unknown`).
1048
type: string
1049
enum:
1050
- "True"
1051
- "False"
1052
- Unknown
1053
type:
1054
description: Type of the condition, known values are (`Ready`, `Issuing`).
1055
type: string
1056
x-kubernetes-list-map-keys:
1057
- type
1058
x-kubernetes-list-type: map
1059
failedIssuanceAttempts:
1060
description: |-
1061
The number of continuous failed issuance attempts up till now. This
1062
field gets removed (if set) on a successful issuance and gets set to
1063
1 if unset and an issuance has failed. If an issuance has failed, the
1064
delay till the next issuance will be calculated using formula
1065
time.Hour * 2 ^ (failedIssuanceAttempts - 1).
1066
type: integer
1067
lastFailureTime:
1068
description: |-
1069
LastFailureTime is set only if the latest issuance for this
1070
Certificate failed and contains the time of the failure. If an
1071
issuance has failed, the delay till the next issuance will be
1072
calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
1073
1). If the latest issuance has succeeded this field will be unset.
1074
type: string
1075
format: date-time
1076
nextPrivateKeySecretName:
1077
description: |-
1078
The name of the Secret resource containing the private key to be used
1079
for the next certificate iteration.
1080
The keymanager controller will automatically set this field if the
1081
`Issuing` condition is set to `True`.
1082
It will automatically unset this field when the Issuing condition is
1083
not set or False.
1084
type: string
1085
notAfter:
1086
description: |-
1087
The expiration time of the certificate stored in the secret named
1088
by this resource in `spec.secretName`.
1089
type: string
1090
format: date-time
1091
notBefore:
1092
description: |-
1093
The time after which the certificate stored in the secret named
1094
by this resource in `spec.secretName` is valid.
1095
type: string
1096
format: date-time
1097
renewalTime:
1098
description: |-
1099
RenewalTime is the time at which the certificate will be next
1100
renewed.
1101
If not set, no upcoming renewal is scheduled.
1102
type: string
1103
format: date-time
1104
revision:
1105
description: |-
1106
The current 'revision' of the certificate as issued.
1107
1108
When a CertificateRequest resource is created, it will have the
1109
`cert-manager.io/certificate-revision` set to one greater than the
1110
current value of this field.
1111
1112
Upon issuance, this field will be set to the value of the annotation
1113
on the CertificateRequest resource used to issue the certificate.
1114
1115
Persisting the value on the CertificateRequest resource allows the
1116
certificates controller to know whether a request is part of an old
1117
issuance or if it is part of the ongoing revision's issuance by
1118
checking if the revision value in the annotation is greater than this
1119
field.
1120
type: integer
1121
served: true
1122
storage: true
1123
1124
# END crd
1125
---
1126
# Source: cert-manager/templates/crds.yaml
1127
# START crd
1128
apiVersion: apiextensions.k8s.io/v1
1129
kind: CustomResourceDefinition
1130
metadata:
1131
name: challenges.acme.cert-manager.io
1132
# START annotations
1133
annotations:
1134
helm.sh/resource-policy: keep
1135
# END annotations
1136
labels:
1137
app: 'cert-manager'
1138
app.kubernetes.io/name: 'cert-manager'
1139
app.kubernetes.io/instance: 'cert-manager'
1140
# Generated labels
1141
app.kubernetes.io/version: "v1.17.0"
1142
spec:
1143
group: acme.cert-manager.io
1144
names:
1145
kind: Challenge
1146
listKind: ChallengeList
1147
plural: challenges
1148
singular: challenge
1149
categories:
1150
- cert-manager
1151
- cert-manager-acme
1152
scope: Namespaced
1153
versions:
1154
- additionalPrinterColumns:
1155
- jsonPath: .status.state
1156
name: State
1157
type: string
1158
- jsonPath: .spec.dnsName
1159
name: Domain
1160
type: string
1161
- jsonPath: .status.reason
1162
name: Reason
1163
priority: 1
1164
type: string
1165
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1166
jsonPath: .metadata.creationTimestamp
1167
name: Age
1168
type: date
1169
name: v1
1170
schema:
1171
openAPIV3Schema:
1172
description: Challenge is a type to represent a Challenge request with an ACME server
1173
type: object
1174
required:
1175
- metadata
1176
- spec
1177
properties:
1178
apiVersion:
1179
description: |-
1180
APIVersion defines the versioned schema of this representation of an object.
1181
Servers should convert recognized schemas to the latest internal value, and
1182
may reject unrecognized values.
1183
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
1184
type: string
1185
kind:
1186
description: |-
1187
Kind is a string value representing the REST resource this object represents.
1188
Servers may infer this from the endpoint the client submits requests to.
1189
Cannot be updated.
1190
In CamelCase.
1191
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
1192
type: string
1193
metadata:
1194
type: object
1195
spec:
1196
type: object
1197
required:
1198
- authorizationURL
1199
- dnsName
1200
- issuerRef
1201
- key
1202
- solver
1203
- token
1204
- type
1205
- url
1206
properties:
1207
authorizationURL:
1208
description: |-
1209
The URL to the ACME Authorization resource that this
1210
challenge is a part of.
1211
type: string
1212
dnsName:
1213
description: |-
1214
dnsName is the identifier that this challenge is for, e.g. example.com.
1215
If the requested DNSName is a 'wildcard', this field MUST be set to the
1216
non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
1217
type: string
1218
issuerRef:
1219
description: |-
1220
References a properly configured ACME-type Issuer which should
1221
be used to create this Challenge.
1222
If the Issuer does not exist, processing will be retried.
1223
If the Issuer is not an 'ACME' Issuer, an error will be returned and the
1224
Challenge will be marked as failed.
1225
type: object
1226
required:
1227
- name
1228
properties:
1229
group:
1230
description: Group of the resource being referred to.
1231
type: string
1232
kind:
1233
description: Kind of the resource being referred to.
1234
type: string
1235
name:
1236
description: Name of the resource being referred to.
1237
type: string
1238
key:
1239
description: |-
1240
The ACME challenge key for this challenge
1241
For HTTP01 challenges, this is the value that must be responded with to
1242
complete the HTTP01 challenge in the format:
1243
`.`.
1244
For DNS01 challenges, this is the base64 encoded SHA256 sum of the
1245
`.`
1246
text that must be set as the TXT record content.
1247
type: string
1248
solver:
1249
description: |-
1250
Contains the domain solving configuration that should be used to
1251
solve this challenge resource.
1252
type: object
1253
properties:
1254
dns01:
1255
description: |-
1256
Configures cert-manager to attempt to complete authorizations by
1257
performing the DNS01 challenge flow.
1258
type: object
1259
properties:
1260
acmeDNS:
1261
description: |-
1262
Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
1263
DNS01 challenge records.
1264
type: object
1265
required:
1266
- accountSecretRef
1267
- host
1268
properties:
1269
accountSecretRef:
1270
description: |-
1271
A reference to a specific 'key' within a Secret resource.
1272
In some instances, `key` is a required field.
1273
type: object
1274
required:
1275
- name
1276
properties:
1277
key:
1278
description: |-
1279
The key of the entry in the Secret resource's `data` field to be used.
1280
Some instances of this field may be defaulted, in others it may be
1281
required.
1282
type: string
1283
name:
1284
description: |-
1285
Name of the resource being referred to.
1286
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1287
type: string
1288
host:
1289
type: string
1290
akamai:
1291
description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
1292
type: object
1293
required:
1294
- accessTokenSecretRef
1295
- clientSecretSecretRef
1296
- clientTokenSecretRef
1297
- serviceConsumerDomain
1298
properties:
1299
accessTokenSecretRef:
1300
description: |-
1301
A reference to a specific 'key' within a Secret resource.
1302
In some instances, `key` is a required field.
1303
type: object
1304
required:
1305
- name
1306
properties:
1307
key:
1308
description: |-
1309
The key of the entry in the Secret resource's `data` field to be used.
1310
Some instances of this field may be defaulted, in others it may be
1311
required.
1312
type: string
1313
name:
1314
description: |-
1315
Name of the resource being referred to.
1316
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1317
type: string
1318
clientSecretSecretRef:
1319
description: |-
1320
A reference to a specific 'key' within a Secret resource.
1321
In some instances, `key` is a required field.
1322
type: object
1323
required:
1324
- name
1325
properties:
1326
key:
1327
description: |-
1328
The key of the entry in the Secret resource's `data` field to be used.
1329
Some instances of this field may be defaulted, in others it may be
1330
required.
1331
type: string
1332
name:
1333
description: |-
1334
Name of the resource being referred to.
1335
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1336
type: string
1337
clientTokenSecretRef:
1338
description: |-
1339
A reference to a specific 'key' within a Secret resource.
1340
In some instances, `key` is a required field.
1341
type: object
1342
required:
1343
- name
1344
properties:
1345
key:
1346
description: |-
1347
The key of the entry in the Secret resource's `data` field to be used.
1348
Some instances of this field may be defaulted, in others it may be
1349
required.
1350
type: string
1351
name:
1352
description: |-
1353
Name of the resource being referred to.
1354
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1355
type: string
1356
serviceConsumerDomain:
1357
type: string
1358
azureDNS:
1359
description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
1360
type: object
1361
required:
1362
- resourceGroupName
1363
- subscriptionID
1364
properties:
1365
clientID:
1366
description: |-
1367
Auth: Azure Service Principal:
1368
The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
1369
If set, ClientSecret and TenantID must also be set.
1370
type: string
1371
clientSecretSecretRef:
1372
description: |-
1373
Auth: Azure Service Principal:
1374
A reference to a Secret containing the password associated with the Service Principal.
1375
If set, ClientID and TenantID must also be set.
1376
type: object
1377
required:
1378
- name
1379
properties:
1380
key:
1381
description: |-
1382
The key of the entry in the Secret resource's `data` field to be used.
1383
Some instances of this field may be defaulted, in others it may be
1384
required.
1385
type: string
1386
name:
1387
description: |-
1388
Name of the resource being referred to.
1389
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1390
type: string
1391
environment:
1392
description: name of the Azure environment (default AzurePublicCloud)
1393
type: string
1394
enum:
1395
- AzurePublicCloud
1396
- AzureChinaCloud
1397
- AzureGermanCloud
1398
- AzureUSGovernmentCloud
1399
hostedZoneName:
1400
description: name of the DNS zone that should be used
1401
type: string
1402
managedIdentity:
1403
description: |-
1404
Auth: Azure Workload Identity or Azure Managed Service Identity:
1405
Settings to enable Azure Workload Identity or Azure Managed Service Identity
1406
If set, ClientID, ClientSecret and TenantID must not be set.
1407
type: object
1408
properties:
1409
clientID:
1410
description: client ID of the managed identity, can not be used at the same time as resourceID
1411
type: string
1412
resourceID:
1413
description: |-
1414
resource ID of the managed identity, can not be used at the same time as clientID
1415
Cannot be used for Azure Managed Service Identity
1416
type: string
1417
tenantID:
1418
description: tenant ID of the managed identity, can not be used at the same time as resourceID
1419
type: string
1420
resourceGroupName:
1421
description: resource group the DNS zone is located in
1422
type: string
1423
subscriptionID:
1424
description: ID of the Azure subscription
1425
type: string
1426
tenantID:
1427
description: |-
1428
Auth: Azure Service Principal:
1429
The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
1430
If set, ClientID and ClientSecret must also be set.
1431
type: string
1432
cloudDNS:
1433
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
1434
type: object
1435
required:
1436
- project
1437
properties:
1438
hostedZoneName:
1439
description: |-
1440
HostedZoneName is an optional field that tells cert-manager in which
1441
Cloud DNS zone the challenge record has to be created.
1442
If left empty cert-manager will automatically choose a zone.
1443
type: string
1444
project:
1445
type: string
1446
serviceAccountSecretRef:
1447
description: |-
1448
A reference to a specific 'key' within a Secret resource.
1449
In some instances, `key` is a required field.
1450
type: object
1451
required:
1452
- name
1453
properties:
1454
key:
1455
description: |-
1456
The key of the entry in the Secret resource's `data` field to be used.
1457
Some instances of this field may be defaulted, in others it may be
1458
required.
1459
type: string
1460
name:
1461
description: |-
1462
Name of the resource being referred to.
1463
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1464
type: string
1465
cloudflare:
1466
description: Use the Cloudflare API to manage DNS01 challenge records.
1467
type: object
1468
properties:
1469
apiKeySecretRef:
1470
description: |-
1471
API key to use to authenticate with Cloudflare.
1472
Note: using an API token to authenticate is now the recommended method
1473
as it allows greater control of permissions.
1474
type: object
1475
required:
1476
- name
1477
properties:
1478
key:
1479
description: |-
1480
The key of the entry in the Secret resource's `data` field to be used.
1481
Some instances of this field may be defaulted, in others it may be
1482
required.
1483
type: string
1484
name:
1485
description: |-
1486
Name of the resource being referred to.
1487
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1488
type: string
1489
apiTokenSecretRef:
1490
description: API token used to authenticate with Cloudflare.
1491
type: object
1492
required:
1493
- name
1494
properties:
1495
key:
1496
description: |-
1497
The key of the entry in the Secret resource's `data` field to be used.
1498
Some instances of this field may be defaulted, in others it may be
1499
required.
1500
type: string
1501
name:
1502
description: |-
1503
Name of the resource being referred to.
1504
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1505
type: string
1506
email:
1507
description: Email of the account, only required when using API key based authentication.
1508
type: string
1509
cnameStrategy:
1510
description: |-
1511
CNAMEStrategy configures how the DNS01 provider should handle CNAME
1512
records when found in DNS zones.
1513
type: string
1514
enum:
1515
- None
1516
- Follow
1517
digitalocean:
1518
description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
1519
type: object
1520
required:
1521
- tokenSecretRef
1522
properties:
1523
tokenSecretRef:
1524
description: |-
1525
A reference to a specific 'key' within a Secret resource.
1526
In some instances, `key` is a required field.
1527
type: object
1528
required:
1529
- name
1530
properties:
1531
key:
1532
description: |-
1533
The key of the entry in the Secret resource's `data` field to be used.
1534
Some instances of this field may be defaulted, in others it may be
1535
required.
1536
type: string
1537
name:
1538
description: |-
1539
Name of the resource being referred to.
1540
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1541
type: string
1542
rfc2136:
1543
description: |-
1544
Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
1545
to manage DNS01 challenge records.
1546
type: object
1547
required:
1548
- nameserver
1549
properties:
1550
nameserver:
1551
description: |-
1552
The IP address or hostname of an authoritative DNS server supporting
1553
RFC2136 in the form host:port. If the host is an IPv6 address it must be
1554
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
1555
This field is required.
1556
type: string
1557
tsigAlgorithm:
1558
description: |-
1559
The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
1560
when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
1561
Supported values are (case-insensitive): ``HMACMD5`` (default),
1562
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
1563
type: string
1564
tsigKeyName:
1565
description: |-
1566
The TSIG Key name configured in the DNS.
1567
If ``tsigSecretSecretRef`` is defined, this field is required.
1568
type: string
1569
tsigSecretSecretRef:
1570
description: |-
1571
The name of the secret containing the TSIG value.
1572
If ``tsigKeyName`` is defined, this field is required.
1573
type: object
1574
required:
1575
- name
1576
properties:
1577
key:
1578
description: |-
1579
The key of the entry in the Secret resource's `data` field to be used.
1580
Some instances of this field may be defaulted, in others it may be
1581
required.
1582
type: string
1583
name:
1584
description: |-
1585
Name of the resource being referred to.
1586
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1587
type: string
1588
route53:
1589
description: Use the AWS Route53 API to manage DNS01 challenge records.
1590
type: object
1591
properties:
1592
accessKeyID:
1593
description: |-
1594
The AccessKeyID is used for authentication.
1595
Cannot be set when SecretAccessKeyID is set.
1596
If neither the Access Key nor Key ID are set, we fall-back to using env
1597
vars, shared credentials file or AWS Instance metadata,
1598
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1599
type: string
1600
accessKeyIDSecretRef:
1601
description: |-
1602
The SecretAccessKey is used for authentication. If set, pull the AWS
1603
access key ID from a key within a Kubernetes Secret.
1604
Cannot be set when AccessKeyID is set.
1605
If neither the Access Key nor Key ID are set, we fall-back to using env
1606
vars, shared credentials file or AWS Instance metadata,
1607
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1608
type: object
1609
required:
1610
- name
1611
properties:
1612
key:
1613
description: |-
1614
The key of the entry in the Secret resource's `data` field to be used.
1615
Some instances of this field may be defaulted, in others it may be
1616
required.
1617
type: string
1618
name:
1619
description: |-
1620
Name of the resource being referred to.
1621
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1622
type: string
1623
auth:
1624
description: Auth configures how cert-manager authenticates.
1625
type: object
1626
required:
1627
- kubernetes
1628
properties:
1629
kubernetes:
1630
description: |-
1631
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
1632
by passing a bound ServiceAccount token.
1633
type: object
1634
required:
1635
- serviceAccountRef
1636
properties:
1637
serviceAccountRef:
1638
description: |-
1639
A reference to a service account that will be used to request a bound
1640
token (also known as "projected token"). To use this field, you must
1641
configure an RBAC rule to let cert-manager request a token.
1642
type: object
1643
required:
1644
- name
1645
properties:
1646
audiences:
1647
description: |-
1648
TokenAudiences is an optional list of audiences to include in the
1649
token passed to AWS. The default token consisting of the issuer's namespace
1650
and name is always included.
1651
If unset the audience defaults to `sts.amazonaws.com`.
1652
type: array
1653
items:
1654
type: string
1655
name:
1656
description: Name of the ServiceAccount used to request a token.
1657
type: string
1658
hostedZoneID:
1659
description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
1660
type: string
1661
region:
1662
description: |-
1663
Override the AWS region.
1664
1665
Route53 is a global service and does not have regional endpoints but the
1666
region specified here (or via environment variables) is used as a hint to
1667
help compute the correct AWS credential scope and partition when it
1668
connects to Route53. See:
1669
- [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
1670
- [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
1671
1672
If you omit this region field, cert-manager will use the region from
1673
AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
1674
in the cert-manager controller Pod.
1675
1676
The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
1677
Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
1678
[Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
1679
In this case this `region` field value is ignored.
1680
1681
The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
1682
Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
1683
[Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
1684
In this case this `region` field value is ignored.
1685
type: string
1686
role:
1687
description: |-
1688
Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
1689
or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
1690
type: string
1691
secretAccessKeySecretRef:
1692
description: |-
1693
The SecretAccessKey is used for authentication.
1694
If neither the Access Key nor Key ID are set, we fall-back to using env
1695
vars, shared credentials file or AWS Instance metadata,
1696
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1697
type: object
1698
required:
1699
- name
1700
properties:
1701
key:
1702
description: |-
1703
The key of the entry in the Secret resource's `data` field to be used.
1704
Some instances of this field may be defaulted, in others it may be
1705
required.
1706
type: string
1707
name:
1708
description: |-
1709
Name of the resource being referred to.
1710
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1711
type: string
1712
webhook:
1713
description: |-
1714
Configure an external webhook based DNS01 challenge solver to manage
1715
DNS01 challenge records.
1716
type: object
1717
required:
1718
- groupName
1719
- solverName
1720
properties:
1721
config:
1722
description: |-
1723
Additional configuration that should be passed to the webhook apiserver
1724
when challenges are processed.
1725
This can contain arbitrary JSON data.
1726
Secret values should not be specified in this stanza.
1727
If secret values are needed (e.g. credentials for a DNS service), you
1728
should use a SecretKeySelector to reference a Secret resource.
1729
For details on the schema of this field, consult the webhook provider
1730
implementation's documentation.
1731
x-kubernetes-preserve-unknown-fields: true
1732
groupName:
1733
description: |-
1734
The API group name that should be used when POSTing ChallengePayload
1735
resources to the webhook apiserver.
1736
This should be the same as the GroupName specified in the webhook
1737
provider implementation.
1738
type: string
1739
solverName:
1740
description: |-
1741
The name of the solver to use, as defined in the webhook provider
1742
implementation.
1743
This will typically be the name of the provider, e.g. 'cloudflare'.
1744
type: string
1745
http01:
1746
description: |-
1747
Configures cert-manager to attempt to complete authorizations by
1748
performing the HTTP01 challenge flow.
1749
It is not possible to obtain certificates for wildcard domain names
1750
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
1751
type: object
1752
properties:
1753
gatewayHTTPRoute:
1754
description: |-
1755
The Gateway API is a sig-network community API that models service networking
1756
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
1757
create HTTPRoutes with the specified labels in the same namespace as the challenge.
1758
This solver is experimental, and fields / behaviour may change in the future.
1759
type: object
1760
properties:
1761
labels:
1762
description: |-
1763
Custom labels that will be applied to HTTPRoutes created by cert-manager
1764
while solving HTTP-01 challenges.
1765
type: object
1766
additionalProperties:
1767
type: string
1768
parentRefs:
1769
description: |-
1770
When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
1771
cert-manager needs to know which parentRefs should be used when creating
1772
the HTTPRoute. Usually, the parentRef references a Gateway. See:
1773
https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
1774
type: array
1775
items:
1776
description: |-
1777
ParentReference identifies an API object (usually a Gateway) that can be considered
1778
a parent of this resource (usually a route). There are two kinds of parent resources
1779
with "Core" support:
1780
1781
* Gateway (Gateway conformance profile)
1782
* Service (Mesh conformance profile, ClusterIP Services only)
1783
1784
This API may be extended in the future to support additional kinds of parent
1785
resources.
1786
1787
The API object must be valid in the cluster; the Group and Kind must
1788
be registered in the cluster for this reference to be valid.
1789
type: object
1790
required:
1791
- name
1792
properties:
1793
group:
1794
description: |-
1795
Group is the group of the referent.
1796
When unspecified, "gateway.networking.k8s.io" is inferred.
1797
To set the core API group (such as for a "Service" kind referent),
1798
Group must be explicitly set to "" (empty string).
1799
1800
Support: Core
1801
type: string
1802
default: gateway.networking.k8s.io
1803
maxLength: 253
1804
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1805
kind:
1806
description: |-
1807
Kind is kind of the referent.
1808
1809
There are two kinds of parent resources with "Core" support:
1810
1811
* Gateway (Gateway conformance profile)
1812
* Service (Mesh conformance profile, ClusterIP Services only)
1813
1814
Support for other resources is Implementation-Specific.
1815
type: string
1816
default: Gateway
1817
maxLength: 63
1818
minLength: 1
1819
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
1820
name:
1821
description: |-
1822
Name is the name of the referent.
1823
1824
Support: Core
1825
type: string
1826
maxLength: 253
1827
minLength: 1
1828
namespace:
1829
description: |-
1830
Namespace is the namespace of the referent. When unspecified, this refers
1831
to the local namespace of the Route.
1832
1833
Note that there are specific rules for ParentRefs which cross namespace
1834
boundaries. Cross-namespace references are only valid if they are explicitly
1835
allowed by something in the namespace they are referring to. For example:
1836
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
1837
generic way to enable any other kind of cross-namespace reference.
1838
1839
1840
ParentRefs from a Route to a Service in the same namespace are "producer"
1841
routes, which apply default routing rules to inbound connections from
1842
any namespace to the Service.
1843
1844
ParentRefs from a Route to a Service in a different namespace are
1845
"consumer" routes, and these routing rules are only applied to outbound
1846
connections originating from the same namespace as the Route, for which
1847
the intended destination of the connections are a Service targeted as a
1848
ParentRef of the Route.
1849
1850
1851
Support: Core
1852
type: string
1853
maxLength: 63
1854
minLength: 1
1855
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
1856
port:
1857
description: |-
1858
Port is the network port this Route targets. It can be interpreted
1859
differently based on the type of parent resource.
1860
1861
When the parent resource is a Gateway, this targets all listeners
1862
listening on the specified port that also support this kind of Route(and
1863
select this Route). It's not recommended to set `Port` unless the
1864
networking behaviors specified in a Route must apply to a specific port
1865
as opposed to a listener(s) whose port(s) may be changed. When both Port
1866
and SectionName are specified, the name and port of the selected listener
1867
must match both specified values.
1868
1869
1870
When the parent resource is a Service, this targets a specific port in the
1871
Service spec. When both Port (experimental) and SectionName are specified,
1872
the name and port of the selected port must match both specified values.
1873
1874
1875
Implementations MAY choose to support other parent resources.
1876
Implementations supporting other types of parent resources MUST clearly
1877
document how/if Port is interpreted.
1878
1879
For the purpose of status, an attachment is considered successful as
1880
long as the parent resource accepts it partially. For example, Gateway
1881
listeners can restrict which Routes can attach to them by Route kind,
1882
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
1883
from the referencing Route, the Route MUST be considered successfully
1884
attached. If no Gateway listeners accept attachment from this Route,
1885
the Route MUST be considered detached from the Gateway.
1886
1887
Support: Extended
1888
type: integer
1889
format: int32
1890
maximum: 65535
1891
minimum: 1
1892
sectionName:
1893
description: |-
1894
SectionName is the name of a section within the target resource. In the
1895
following resources, SectionName is interpreted as the following:
1896
1897
* Gateway: Listener name. When both Port (experimental) and SectionName
1898
are specified, the name and port of the selected listener must match
1899
both specified values.
1900
* Service: Port name. When both Port (experimental) and SectionName
1901
are specified, the name and port of the selected listener must match
1902
both specified values.
1903
1904
Implementations MAY choose to support attaching Routes to other resources.
1905
If that is the case, they MUST clearly document how SectionName is
1906
interpreted.
1907
1908
When unspecified (empty string), this will reference the entire resource.
1909
For the purpose of status, an attachment is considered successful if at
1910
least one section in the parent resource accepts it. For example, Gateway
1911
listeners can restrict which Routes can attach to them by Route kind,
1912
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
1913
the referencing Route, the Route MUST be considered successfully
1914
attached. If no Gateway listeners accept attachment from this Route, the
1915
Route MUST be considered detached from the Gateway.
1916
1917
Support: Core
1918
type: string
1919
maxLength: 253
1920
minLength: 1
1921
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1922
podTemplate:
1923
description: |-
1924
Optional pod template used to configure the ACME challenge solver pods
1925
used for HTTP01 challenges.
1926
type: object
1927
properties:
1928
metadata:
1929
description: |-
1930
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
1931
Only the 'labels' and 'annotations' fields may be set.
1932
If labels or annotations overlap with in-built values, the values here
1933
will override the in-built values.
1934
type: object
1935
properties:
1936
annotations:
1937
description: Annotations that should be added to the created ACME HTTP01 solver pods.
1938
type: object
1939
additionalProperties:
1940
type: string
1941
labels:
1942
description: Labels that should be added to the created ACME HTTP01 solver pods.
1943
type: object
1944
additionalProperties:
1945
type: string
1946
spec:
1947
description: |-
1948
PodSpec defines overrides for the HTTP01 challenge solver pod.
1949
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
1950
All other fields will be ignored.
1951
type: object
1952
properties:
1953
affinity:
1954
description: If specified, the pod's scheduling constraints
1955
type: object
1956
properties:
1957
nodeAffinity:
1958
description: Describes node affinity scheduling rules for the pod.
1959
type: object
1960
properties:
1961
preferredDuringSchedulingIgnoredDuringExecution:
1962
description: |-
1963
The scheduler will prefer to schedule pods to nodes that satisfy
1964
the affinity expressions specified by this field, but it may choose
1965
a node that violates one or more of the expressions. The node that is
1966
most preferred is the one with the greatest sum of weights, i.e.
1967
for each node that meets all of the scheduling requirements (resource
1968
request, requiredDuringScheduling affinity expressions, etc.),
1969
compute a sum by iterating through the elements of this field and adding
1970
"weight" to the sum if the node matches the corresponding matchExpressions; the
1971
node(s) with the highest sum are the most preferred.
1972
type: array
1973
items:
1974
description: |-
1975
An empty preferred scheduling term matches all objects with implicit weight 0
1976
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1977
type: object
1978
required:
1979
- preference
1980
- weight
1981
properties:
1982
preference:
1983
description: A node selector term, associated with the corresponding weight.
1984
type: object
1985
properties:
1986
matchExpressions:
1987
description: A list of node selector requirements by node's labels.
1988
type: array
1989
items:
1990
description: |-
1991
A node selector requirement is a selector that contains values, a key, and an operator
1992
that relates the key and values.
1993
type: object
1994
required:
1995
- key
1996
- operator
1997
properties:
1998
key:
1999
description: The label key that the selector applies to.
2000
type: string
2001
operator:
2002
description: |-
2003
Represents a key's relationship to a set of values.
2004
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2005
type: string
2006
values:
2007
description: |-
2008
An array of string values. If the operator is In or NotIn,
2009
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2010
the values array must be empty. If the operator is Gt or Lt, the values
2011
array must have a single element, which will be interpreted as an integer.
2012
This array is replaced during a strategic merge patch.
2013
type: array
2014
items:
2015
type: string
2016
x-kubernetes-list-type: atomic
2017
x-kubernetes-list-type: atomic
2018
matchFields:
2019
description: A list of node selector requirements by node's fields.
2020
type: array
2021
items:
2022
description: |-
2023
A node selector requirement is a selector that contains values, a key, and an operator
2024
that relates the key and values.
2025
type: object
2026
required:
2027
- key
2028
- operator
2029
properties:
2030
key:
2031
description: The label key that the selector applies to.
2032
type: string
2033
operator:
2034
description: |-
2035
Represents a key's relationship to a set of values.
2036
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2037
type: string
2038
values:
2039
description: |-
2040
An array of string values. If the operator is In or NotIn,
2041
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2042
the values array must be empty. If the operator is Gt or Lt, the values
2043
array must have a single element, which will be interpreted as an integer.
2044
This array is replaced during a strategic merge patch.
2045
type: array
2046
items:
2047
type: string
2048
x-kubernetes-list-type: atomic
2049
x-kubernetes-list-type: atomic
2050
x-kubernetes-map-type: atomic
2051
weight:
2052
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2053
type: integer
2054
format: int32
2055
x-kubernetes-list-type: atomic
2056
requiredDuringSchedulingIgnoredDuringExecution:
2057
description: |-
2058
If the affinity requirements specified by this field are not met at
2059
scheduling time, the pod will not be scheduled onto the node.
2060
If the affinity requirements specified by this field cease to be met
2061
at some point during pod execution (e.g. due to an update), the system
2062
may or may not try to eventually evict the pod from its node.
2063
type: object
2064
required:
2065
- nodeSelectorTerms
2066
properties:
2067
nodeSelectorTerms:
2068
description: Required. A list of node selector terms. The terms are ORed.
2069
type: array
2070
items:
2071
description: |-
2072
A null or empty node selector term matches no objects. The requirements of
2073
them are ANDed.
2074
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2075
type: object
2076
properties:
2077
matchExpressions:
2078
description: A list of node selector requirements by node's labels.
2079
type: array
2080
items:
2081
description: |-
2082
A node selector requirement is a selector that contains values, a key, and an operator
2083
that relates the key and values.
2084
type: object
2085
required:
2086
- key
2087
- operator
2088
properties:
2089
key:
2090
description: The label key that the selector applies to.
2091
type: string
2092
operator:
2093
description: |-
2094
Represents a key's relationship to a set of values.
2095
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2096
type: string
2097
values:
2098
description: |-
2099
An array of string values. If the operator is In or NotIn,
2100
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2101
the values array must be empty. If the operator is Gt or Lt, the values
2102
array must have a single element, which will be interpreted as an integer.
2103
This array is replaced during a strategic merge patch.
2104
type: array
2105
items:
2106
type: string
2107
x-kubernetes-list-type: atomic
2108
x-kubernetes-list-type: atomic
2109
matchFields:
2110
description: A list of node selector requirements by node's fields.
2111
type: array
2112
items:
2113
description: |-
2114
A node selector requirement is a selector that contains values, a key, and an operator
2115
that relates the key and values.
2116
type: object
2117
required:
2118
- key
2119
- operator
2120
properties:
2121
key:
2122
description: The label key that the selector applies to.
2123
type: string
2124
operator:
2125
description: |-
2126
Represents a key's relationship to a set of values.
2127
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2128
type: string
2129
values:
2130
description: |-
2131
An array of string values. If the operator is In or NotIn,
2132
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2133
the values array must be empty. If the operator is Gt or Lt, the values
2134
array must have a single element, which will be interpreted as an integer.
2135
This array is replaced during a strategic merge patch.
2136
type: array
2137
items:
2138
type: string
2139
x-kubernetes-list-type: atomic
2140
x-kubernetes-list-type: atomic
2141
x-kubernetes-map-type: atomic
2142
x-kubernetes-list-type: atomic
2143
x-kubernetes-map-type: atomic
2144
podAffinity:
2145
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2146
type: object
2147
properties:
2148
preferredDuringSchedulingIgnoredDuringExecution:
2149
description: |-
2150
The scheduler will prefer to schedule pods to nodes that satisfy
2151
the affinity expressions specified by this field, but it may choose
2152
a node that violates one or more of the expressions. The node that is
2153
most preferred is the one with the greatest sum of weights, i.e.
2154
for each node that meets all of the scheduling requirements (resource
2155
request, requiredDuringScheduling affinity expressions, etc.),
2156
compute a sum by iterating through the elements of this field and adding
2157
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
2158
node(s) with the highest sum are the most preferred.
2159
type: array
2160
items:
2161
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2162
type: object
2163
required:
2164
- podAffinityTerm
2165
- weight
2166
properties:
2167
podAffinityTerm:
2168
description: Required. A pod affinity term, associated with the corresponding weight.
2169
type: object
2170
required:
2171
- topologyKey
2172
properties:
2173
labelSelector:
2174
description: |-
2175
A label query over a set of resources, in this case pods.
2176
If it's null, this PodAffinityTerm matches with no Pods.
2177
type: object
2178
properties:
2179
matchExpressions:
2180
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2181
type: array
2182
items:
2183
description: |-
2184
A label selector requirement is a selector that contains values, a key, and an operator that
2185
relates the key and values.
2186
type: object
2187
required:
2188
- key
2189
- operator
2190
properties:
2191
key:
2192
description: key is the label key that the selector applies to.
2193
type: string
2194
operator:
2195
description: |-
2196
operator represents a key's relationship to a set of values.
2197
Valid operators are In, NotIn, Exists and DoesNotExist.
2198
type: string
2199
values:
2200
description: |-
2201
values is an array of string values. If the operator is In or NotIn,
2202
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2203
the values array must be empty. This array is replaced during a strategic
2204
merge patch.
2205
type: array
2206
items:
2207
type: string
2208
x-kubernetes-list-type: atomic
2209
x-kubernetes-list-type: atomic
2210
matchLabels:
2211
description: |-
2212
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2213
map is equivalent to an element of matchExpressions, whose key field is "key", the
2214
operator is "In", and the values array contains only "value". The requirements are ANDed.
2215
type: object
2216
additionalProperties:
2217
type: string
2218
x-kubernetes-map-type: atomic
2219
matchLabelKeys:
2220
description: |-
2221
MatchLabelKeys is a set of pod label keys to select which pods will
2222
be taken into consideration. The keys are used to lookup values from the
2223
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2224
to select the group of existing pods which pods will be taken into consideration
2225
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2226
pod labels will be ignored. The default value is empty.
2227
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2228
Also, matchLabelKeys cannot be set when labelSelector isn't set.
2229
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2230
type: array
2231
items:
2232
type: string
2233
x-kubernetes-list-type: atomic
2234
mismatchLabelKeys:
2235
description: |-
2236
MismatchLabelKeys is a set of pod label keys to select which pods will
2237
be taken into consideration. The keys are used to lookup values from the
2238
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2239
to select the group of existing pods which pods will be taken into consideration
2240
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2241
pod labels will be ignored. The default value is empty.
2242
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2243
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2244
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2245
type: array
2246
items:
2247
type: string
2248
x-kubernetes-list-type: atomic
2249
namespaceSelector:
2250
description: |-
2251
A label query over the set of namespaces that the term applies to.
2252
The term is applied to the union of the namespaces selected by this field
2253
and the ones listed in the namespaces field.
2254
null selector and null or empty namespaces list means "this pod's namespace".
2255
An empty selector ({}) matches all namespaces.
2256
type: object
2257
properties:
2258
matchExpressions:
2259
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2260
type: array
2261
items:
2262
description: |-
2263
A label selector requirement is a selector that contains values, a key, and an operator that
2264
relates the key and values.
2265
type: object
2266
required:
2267
- key
2268
- operator
2269
properties:
2270
key:
2271
description: key is the label key that the selector applies to.
2272
type: string
2273
operator:
2274
description: |-
2275
operator represents a key's relationship to a set of values.
2276
Valid operators are In, NotIn, Exists and DoesNotExist.
2277
type: string
2278
values:
2279
description: |-
2280
values is an array of string values. If the operator is In or NotIn,
2281
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2282
the values array must be empty. This array is replaced during a strategic
2283
merge patch.
2284
type: array
2285
items:
2286
type: string
2287
x-kubernetes-list-type: atomic
2288
x-kubernetes-list-type: atomic
2289
matchLabels:
2290
description: |-
2291
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2292
map is equivalent to an element of matchExpressions, whose key field is "key", the
2293
operator is "In", and the values array contains only "value". The requirements are ANDed.
2294
type: object
2295
additionalProperties:
2296
type: string
2297
x-kubernetes-map-type: atomic
2298
namespaces:
2299
description: |-
2300
namespaces specifies a static list of namespace names that the term applies to.
2301
The term is applied to the union of the namespaces listed in this field
2302
and the ones selected by namespaceSelector.
2303
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2304
type: array
2305
items:
2306
type: string
2307
x-kubernetes-list-type: atomic
2308
topologyKey:
2309
description: |-
2310
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2311
the labelSelector in the specified namespaces, where co-located is defined as running on a node
2312
whose value of the label with key topologyKey matches that of any node on which any of the
2313
selected pods is running.
2314
Empty topologyKey is not allowed.
2315
type: string
2316
weight:
2317
description: |-
2318
weight associated with matching the corresponding podAffinityTerm,
2319
in the range 1-100.
2320
type: integer
2321
format: int32
2322
x-kubernetes-list-type: atomic
2323
requiredDuringSchedulingIgnoredDuringExecution:
2324
description: |-
2325
If the affinity requirements specified by this field are not met at
2326
scheduling time, the pod will not be scheduled onto the node.
2327
If the affinity requirements specified by this field cease to be met
2328
at some point during pod execution (e.g. due to a pod label update), the
2329
system may or may not try to eventually evict the pod from its node.
2330
When there are multiple elements, the lists of nodes corresponding to each
2331
podAffinityTerm are intersected, i.e. all terms must be satisfied.
2332
type: array
2333
items:
2334
description: |-
2335
Defines a set of pods (namely those matching the labelSelector
2336
relative to the given namespace(s)) that this pod should be
2337
co-located (affinity) or not co-located (anti-affinity) with,
2338
where co-located is defined as running on a node whose value of
2339
the label with key matches that of any node on which
2340
a pod of the set of pods is running
2341
type: object
2342
required:
2343
- topologyKey
2344
properties:
2345
labelSelector:
2346
description: |-
2347
A label query over a set of resources, in this case pods.
2348
If it's null, this PodAffinityTerm matches with no Pods.
2349
type: object
2350
properties:
2351
matchExpressions:
2352
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2353
type: array
2354
items:
2355
description: |-
2356
A label selector requirement is a selector that contains values, a key, and an operator that
2357
relates the key and values.
2358
type: object
2359
required:
2360
- key
2361
- operator
2362
properties:
2363
key:
2364
description: key is the label key that the selector applies to.
2365
type: string
2366
operator:
2367
description: |-
2368
operator represents a key's relationship to a set of values.
2369
Valid operators are In, NotIn, Exists and DoesNotExist.
2370
type: string
2371
values:
2372
description: |-
2373
values is an array of string values. If the operator is In or NotIn,
2374
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2375
the values array must be empty. This array is replaced during a strategic
2376
merge patch.
2377
type: array
2378
items:
2379
type: string
2380
x-kubernetes-list-type: atomic
2381
x-kubernetes-list-type: atomic
2382
matchLabels:
2383
description: |-
2384
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2385
map is equivalent to an element of matchExpressions, whose key field is "key", the
2386
operator is "In", and the values array contains only "value". The requirements are ANDed.
2387
type: object
2388
additionalProperties:
2389
type: string
2390
x-kubernetes-map-type: atomic
2391
matchLabelKeys:
2392
description: |-
2393
MatchLabelKeys is a set of pod label keys to select which pods will
2394
be taken into consideration. The keys are used to lookup values from the
2395
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2396
to select the group of existing pods which pods will be taken into consideration
2397
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2398
pod labels will be ignored. The default value is empty.
2399
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2400
Also, matchLabelKeys cannot be set when labelSelector isn't set.
2401
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2402
type: array
2403
items:
2404
type: string
2405
x-kubernetes-list-type: atomic
2406
mismatchLabelKeys:
2407
description: |-
2408
MismatchLabelKeys is a set of pod label keys to select which pods will
2409
be taken into consideration. The keys are used to lookup values from the
2410
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2411
to select the group of existing pods which pods will be taken into consideration
2412
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2413
pod labels will be ignored. The default value is empty.
2414
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2415
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2416
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2417
type: array
2418
items:
2419
type: string
2420
x-kubernetes-list-type: atomic
2421
namespaceSelector:
2422
description: |-
2423
A label query over the set of namespaces that the term applies to.
2424
The term is applied to the union of the namespaces selected by this field
2425
and the ones listed in the namespaces field.
2426
null selector and null or empty namespaces list means "this pod's namespace".
2427
An empty selector ({}) matches all namespaces.
2428
type: object
2429
properties:
2430
matchExpressions:
2431
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2432
type: array
2433
items:
2434
description: |-
2435
A label selector requirement is a selector that contains values, a key, and an operator that
2436
relates the key and values.
2437
type: object
2438
required:
2439
- key
2440
- operator
2441
properties:
2442
key:
2443
description: key is the label key that the selector applies to.
2444
type: string
2445
operator:
2446
description: |-
2447
operator represents a key's relationship to a set of values.
2448
Valid operators are In, NotIn, Exists and DoesNotExist.
2449
type: string
2450
values:
2451
description: |-
2452
values is an array of string values. If the operator is In or NotIn,
2453
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2454
the values array must be empty. This array is replaced during a strategic
2455
merge patch.
2456
type: array
2457
items:
2458
type: string
2459
x-kubernetes-list-type: atomic
2460
x-kubernetes-list-type: atomic
2461
matchLabels:
2462
description: |-
2463
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2464
map is equivalent to an element of matchExpressions, whose key field is "key", the
2465
operator is "In", and the values array contains only "value". The requirements are ANDed.
2466
type: object
2467
additionalProperties:
2468
type: string
2469
x-kubernetes-map-type: atomic
2470
namespaces:
2471
description: |-
2472
namespaces specifies a static list of namespace names that the term applies to.
2473
The term is applied to the union of the namespaces listed in this field
2474
and the ones selected by namespaceSelector.
2475
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2476
type: array
2477
items:
2478
type: string
2479
x-kubernetes-list-type: atomic
2480
topologyKey:
2481
description: |-
2482
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2483
the labelSelector in the specified namespaces, where co-located is defined as running on a node
2484
whose value of the label with key topologyKey matches that of any node on which any of the
2485
selected pods is running.
2486
Empty topologyKey is not allowed.
2487
type: string
2488
x-kubernetes-list-type: atomic
2489
podAntiAffinity:
2490
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2491
type: object
2492
properties:
2493
preferredDuringSchedulingIgnoredDuringExecution:
2494
description: |-
2495
The scheduler will prefer to schedule pods to nodes that satisfy
2496
the anti-affinity expressions specified by this field, but it may choose
2497
a node that violates one or more of the expressions. The node that is
2498
most preferred is the one with the greatest sum of weights, i.e.
2499
for each node that meets all of the scheduling requirements (resource
2500
request, requiredDuringScheduling anti-affinity expressions, etc.),
2501
compute a sum by iterating through the elements of this field and adding
2502
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
2503
node(s) with the highest sum are the most preferred.
2504
type: array
2505
items:
2506
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2507
type: object
2508
required:
2509
- podAffinityTerm
2510
- weight
2511
properties:
2512
podAffinityTerm:
2513
description: Required. A pod affinity term, associated with the corresponding weight.
2514
type: object
2515
required:
2516
- topologyKey
2517
properties:
2518
labelSelector:
2519
description: |-
2520
A label query over a set of resources, in this case pods.
2521
If it's null, this PodAffinityTerm matches with no Pods.
2522
type: object
2523
properties:
2524
matchExpressions:
2525
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2526
type: array
2527
items:
2528
description: |-
2529
A label selector requirement is a selector that contains values, a key, and an operator that
2530
relates the key and values.
2531
type: object
2532
required:
2533
- key
2534
- operator
2535
properties:
2536
key:
2537
description: key is the label key that the selector applies to.
2538
type: string
2539
operator:
2540
description: |-
2541
operator represents a key's relationship to a set of values.
2542
Valid operators are In, NotIn, Exists and DoesNotExist.
2543
type: string
2544
values:
2545
description: |-
2546
values is an array of string values. If the operator is In or NotIn,
2547
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2548
the values array must be empty. This array is replaced during a strategic
2549
merge patch.
2550
type: array
2551
items:
2552
type: string
2553
x-kubernetes-list-type: atomic
2554
x-kubernetes-list-type: atomic
2555
matchLabels:
2556
description: |-
2557
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2558
map is equivalent to an element of matchExpressions, whose key field is "key", the
2559
operator is "In", and the values array contains only "value". The requirements are ANDed.
2560
type: object
2561
additionalProperties:
2562
type: string
2563
x-kubernetes-map-type: atomic
2564
matchLabelKeys:
2565
description: |-
2566
MatchLabelKeys is a set of pod label keys to select which pods will
2567
be taken into consideration. The keys are used to lookup values from the
2568
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2569
to select the group of existing pods which pods will be taken into consideration
2570
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2571
pod labels will be ignored. The default value is empty.
2572
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2573
Also, matchLabelKeys cannot be set when labelSelector isn't set.
2574
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2575
type: array
2576
items:
2577
type: string
2578
x-kubernetes-list-type: atomic
2579
mismatchLabelKeys:
2580
description: |-
2581
MismatchLabelKeys is a set of pod label keys to select which pods will
2582
be taken into consideration. The keys are used to lookup values from the
2583
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2584
to select the group of existing pods which pods will be taken into consideration
2585
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2586
pod labels will be ignored. The default value is empty.
2587
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2588
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2589
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2590
type: array
2591
items:
2592
type: string
2593
x-kubernetes-list-type: atomic
2594
namespaceSelector:
2595
description: |-
2596
A label query over the set of namespaces that the term applies to.
2597
The term is applied to the union of the namespaces selected by this field
2598
and the ones listed in the namespaces field.
2599
null selector and null or empty namespaces list means "this pod's namespace".
2600
An empty selector ({}) matches all namespaces.
2601
type: object
2602
properties:
2603
matchExpressions:
2604
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2605
type: array
2606
items:
2607
description: |-
2608
A label selector requirement is a selector that contains values, a key, and an operator that
2609
relates the key and values.
2610
type: object
2611
required:
2612
- key
2613
- operator
2614
properties:
2615
key:
2616
description: key is the label key that the selector applies to.
2617
type: string
2618
operator:
2619
description: |-
2620
operator represents a key's relationship to a set of values.
2621
Valid operators are In, NotIn, Exists and DoesNotExist.
2622
type: string
2623
values:
2624
description: |-
2625
values is an array of string values. If the operator is In or NotIn,
2626
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2627
the values array must be empty. This array is replaced during a strategic
2628
merge patch.
2629
type: array
2630
items:
2631
type: string
2632
x-kubernetes-list-type: atomic
2633
x-kubernetes-list-type: atomic
2634
matchLabels:
2635
description: |-
2636
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2637
map is equivalent to an element of matchExpressions, whose key field is "key", the
2638
operator is "In", and the values array contains only "value". The requirements are ANDed.
2639
type: object
2640
additionalProperties:
2641
type: string
2642
x-kubernetes-map-type: atomic
2643
namespaces:
2644
description: |-
2645
namespaces specifies a static list of namespace names that the term applies to.
2646
The term is applied to the union of the namespaces listed in this field
2647
and the ones selected by namespaceSelector.
2648
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2649
type: array
2650
items:
2651
type: string
2652
x-kubernetes-list-type: atomic
2653
topologyKey:
2654
description: |-
2655
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2656
the labelSelector in the specified namespaces, where co-located is defined as running on a node
2657
whose value of the label with key topologyKey matches that of any node on which any of the
2658
selected pods is running.
2659
Empty topologyKey is not allowed.
2660
type: string
2661
weight:
2662
description: |-
2663
weight associated with matching the corresponding podAffinityTerm,
2664
in the range 1-100.
2665
type: integer
2666
format: int32
2667
x-kubernetes-list-type: atomic
2668
requiredDuringSchedulingIgnoredDuringExecution:
2669
description: |-
2670
If the anti-affinity requirements specified by this field are not met at
2671
scheduling time, the pod will not be scheduled onto the node.
2672
If the anti-affinity requirements specified by this field cease to be met
2673
at some point during pod execution (e.g. due to a pod label update), the
2674
system may or may not try to eventually evict the pod from its node.
2675
When there are multiple elements, the lists of nodes corresponding to each
2676
podAffinityTerm are intersected, i.e. all terms must be satisfied.
2677
type: array
2678
items:
2679
description: |-
2680
Defines a set of pods (namely those matching the labelSelector
2681
relative to the given namespace(s)) that this pod should be
2682
co-located (affinity) or not co-located (anti-affinity) with,
2683
where co-located is defined as running on a node whose value of
2684
the label with key matches that of any node on which
2685
a pod of the set of pods is running
2686
type: object
2687
required:
2688
- topologyKey
2689
properties:
2690
labelSelector:
2691
description: |-
2692
A label query over a set of resources, in this case pods.
2693
If it's null, this PodAffinityTerm matches with no Pods.
2694
type: object
2695
properties:
2696
matchExpressions:
2697
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2698
type: array
2699
items:
2700
description: |-
2701
A label selector requirement is a selector that contains values, a key, and an operator that
2702
relates the key and values.
2703
type: object
2704
required:
2705
- key
2706
- operator
2707
properties:
2708
key:
2709
description: key is the label key that the selector applies to.
2710
type: string
2711
operator:
2712
description: |-
2713
operator represents a key's relationship to a set of values.
2714
Valid operators are In, NotIn, Exists and DoesNotExist.
2715
type: string
2716
values:
2717
description: |-
2718
values is an array of string values. If the operator is In or NotIn,
2719
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2720
the values array must be empty. This array is replaced during a strategic
2721
merge patch.
2722
type: array
2723
items:
2724
type: string
2725
x-kubernetes-list-type: atomic
2726
x-kubernetes-list-type: atomic
2727
matchLabels:
2728
description: |-
2729
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2730
map is equivalent to an element of matchExpressions, whose key field is "key", the
2731
operator is "In", and the values array contains only "value". The requirements are ANDed.
2732
type: object
2733
additionalProperties:
2734
type: string
2735
x-kubernetes-map-type: atomic
2736
matchLabelKeys:
2737
description: |-
2738
MatchLabelKeys is a set of pod label keys to select which pods will
2739
be taken into consideration. The keys are used to lookup values from the
2740
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2741
to select the group of existing pods which pods will be taken into consideration
2742
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2743
pod labels will be ignored. The default value is empty.
2744
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2745
Also, matchLabelKeys cannot be set when labelSelector isn't set.
2746
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2747
type: array
2748
items:
2749
type: string
2750
x-kubernetes-list-type: atomic
2751
mismatchLabelKeys:
2752
description: |-
2753
MismatchLabelKeys is a set of pod label keys to select which pods will
2754
be taken into consideration. The keys are used to lookup values from the
2755
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2756
to select the group of existing pods which pods will be taken into consideration
2757
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2758
pod labels will be ignored. The default value is empty.
2759
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2760
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2761
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2762
type: array
2763
items:
2764
type: string
2765
x-kubernetes-list-type: atomic
2766
namespaceSelector:
2767
description: |-
2768
A label query over the set of namespaces that the term applies to.
2769
The term is applied to the union of the namespaces selected by this field
2770
and the ones listed in the namespaces field.
2771
null selector and null or empty namespaces list means "this pod's namespace".
2772
An empty selector ({}) matches all namespaces.
2773
type: object
2774
properties:
2775
matchExpressions:
2776
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2777
type: array
2778
items:
2779
description: |-
2780
A label selector requirement is a selector that contains values, a key, and an operator that
2781
relates the key and values.
2782
type: object
2783
required:
2784
- key
2785
- operator
2786
properties:
2787
key:
2788
description: key is the label key that the selector applies to.
2789
type: string
2790
operator:
2791
description: |-
2792
operator represents a key's relationship to a set of values.
2793
Valid operators are In, NotIn, Exists and DoesNotExist.
2794
type: string
2795
values:
2796
description: |-
2797
values is an array of string values. If the operator is In or NotIn,
2798
the values array must be non-empty. If the operator is Exists or DoesNotExist,
2799
the values array must be empty. This array is replaced during a strategic
2800
merge patch.
2801
type: array
2802
items:
2803
type: string
2804
x-kubernetes-list-type: atomic
2805
x-kubernetes-list-type: atomic
2806
matchLabels:
2807
description: |-
2808
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2809
map is equivalent to an element of matchExpressions, whose key field is "key", the
2810
operator is "In", and the values array contains only "value". The requirements are ANDed.
2811
type: object
2812
additionalProperties:
2813
type: string
2814
x-kubernetes-map-type: atomic
2815
namespaces:
2816
description: |-
2817
namespaces specifies a static list of namespace names that the term applies to.
2818
The term is applied to the union of the namespaces listed in this field
2819
and the ones selected by namespaceSelector.
2820
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2821
type: array
2822
items:
2823
type: string
2824
x-kubernetes-list-type: atomic
2825
topologyKey:
2826
description: |-
2827
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2828
the labelSelector in the specified namespaces, where co-located is defined as running on a node
2829
whose value of the label with key topologyKey matches that of any node on which any of the
2830
selected pods is running.
2831
Empty topologyKey is not allowed.
2832
type: string
2833
x-kubernetes-list-type: atomic
2834
imagePullSecrets:
2835
description: If specified, the pod's imagePullSecrets
2836
type: array
2837
items:
2838
description: |-
2839
LocalObjectReference contains enough information to let you locate the
2840
referenced object inside the same namespace.
2841
type: object
2842
properties:
2843
name:
2844
description: |-
2845
Name of the referent.
2846
This field is effectively required, but due to backwards compatibility is
2847
allowed to be empty. Instances of this type with an empty value here are
2848
almost certainly wrong.
2849
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2850
type: string
2851
default: ""
2852
x-kubernetes-map-type: atomic
2853
nodeSelector:
2854
description: |-
2855
NodeSelector is a selector which must be true for the pod to fit on a node.
2856
Selector which must match a node's labels for the pod to be scheduled on that node.
2857
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
2858
type: object
2859
additionalProperties:
2860
type: string
2861
priorityClassName:
2862
description: If specified, the pod's priorityClassName.
2863
type: string
2864
securityContext:
2865
description: If specified, the pod's security context
2866
type: object
2867
properties:
2868
fsGroup:
2869
description: |-
2870
A special supplemental group that applies to all containers in a pod.
2871
Some volume types allow the Kubelet to change the ownership of that volume
2872
to be owned by the pod:
2873
2874
1. The owning GID will be the FSGroup
2875
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
2876
3. The permission bits are OR'd with rw-rw----
2877
2878
If unset, the Kubelet will not modify the ownership and permissions of any volume.
2879
Note that this field cannot be set when spec.os.name is windows.
2880
type: integer
2881
format: int64
2882
fsGroupChangePolicy:
2883
description: |-
2884
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
2885
before being exposed inside Pod. This field will only apply to
2886
volume types which support fsGroup based ownership(and permissions).
2887
It will have no effect on ephemeral volume types such as: secret, configmaps
2888
and emptydir.
2889
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
2890
Note that this field cannot be set when spec.os.name is windows.
2891
type: string
2892
runAsGroup:
2893
description: |-
2894
The GID to run the entrypoint of the container process.
2895
Uses runtime default if unset.
2896
May also be set in SecurityContext. If set in both SecurityContext and
2897
PodSecurityContext, the value specified in SecurityContext takes precedence
2898
for that container.
2899
Note that this field cannot be set when spec.os.name is windows.
2900
type: integer
2901
format: int64
2902
runAsNonRoot:
2903
description: |-
2904
Indicates that the container must run as a non-root user.
2905
If true, the Kubelet will validate the image at runtime to ensure that it
2906
does not run as UID 0 (root) and fail to start the container if it does.
2907
If unset or false, no such validation will be performed.
2908
May also be set in SecurityContext. If set in both SecurityContext and
2909
PodSecurityContext, the value specified in SecurityContext takes precedence.
2910
type: boolean
2911
runAsUser:
2912
description: |-
2913
The UID to run the entrypoint of the container process.
2914
Defaults to user specified in image metadata if unspecified.
2915
May also be set in SecurityContext. If set in both SecurityContext and
2916
PodSecurityContext, the value specified in SecurityContext takes precedence
2917
for that container.
2918
Note that this field cannot be set when spec.os.name is windows.
2919
type: integer
2920
format: int64
2921
seLinuxOptions:
2922
description: |-
2923
The SELinux context to be applied to all containers.
2924
If unspecified, the container runtime will allocate a random SELinux context for each
2925
container. May also be set in SecurityContext. If set in
2926
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
2927
takes precedence for that container.
2928
Note that this field cannot be set when spec.os.name is windows.
2929
type: object
2930
properties:
2931
level:
2932
description: Level is SELinux level label that applies to the container.
2933
type: string
2934
role:
2935
description: Role is a SELinux role label that applies to the container.
2936
type: string
2937
type:
2938
description: Type is a SELinux type label that applies to the container.
2939
type: string
2940
user:
2941
description: User is a SELinux user label that applies to the container.
2942
type: string
2943
seccompProfile:
2944
description: |-
2945
The seccomp options to use by the containers in this pod.
2946
Note that this field cannot be set when spec.os.name is windows.
2947
type: object
2948
required:
2949
- type
2950
properties:
2951
localhostProfile:
2952
description: |-
2953
localhostProfile indicates a profile defined in a file on the node should be used.
2954
The profile must be preconfigured on the node to work.
2955
Must be a descending path, relative to the kubelet's configured seccomp profile location.
2956
Must be set if type is "Localhost". Must NOT be set for any other type.
2957
type: string
2958
type:
2959
description: |-
2960
type indicates which kind of seccomp profile will be applied.
2961
Valid options are:
2962
2963
Localhost - a profile defined in a file on the node should be used.
2964
RuntimeDefault - the container runtime default profile should be used.
2965
Unconfined - no profile should be applied.
2966
type: string
2967
supplementalGroups:
2968
description: |-
2969
A list of groups applied to the first process run in each container, in addition
2970
to the container's primary GID, the fsGroup (if specified), and group memberships
2971
defined in the container image for the uid of the container process. If unspecified,
2972
no additional groups are added to any container. Note that group memberships
2973
defined in the container image for the uid of the container process are still effective,
2974
even if they are not included in this list.
2975
Note that this field cannot be set when spec.os.name is windows.
2976
type: array
2977
items:
2978
type: integer
2979
format: int64
2980
sysctls:
2981
description: |-
2982
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
2983
sysctls (by the container runtime) might fail to launch.
2984
Note that this field cannot be set when spec.os.name is windows.
2985
type: array
2986
items:
2987
description: Sysctl defines a kernel parameter to be set
2988
type: object
2989
required:
2990
- name
2991
- value
2992
properties:
2993
name:
2994
description: Name of a property to set
2995
type: string
2996
value:
2997
description: Value of a property to set
2998
type: string
2999
serviceAccountName:
3000
description: If specified, the pod's service account
3001
type: string
3002
tolerations:
3003
description: If specified, the pod's tolerations.
3004
type: array
3005
items:
3006
description: |-
3007
The pod this Toleration is attached to tolerates any taint that matches
3008
the triple using the matching operator .
3009
type: object
3010
properties:
3011
effect:
3012
description: |-
3013
Effect indicates the taint effect to match. Empty means match all taint effects.
3014
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3015
type: string
3016
key:
3017
description: |-
3018
Key is the taint key that the toleration applies to. Empty means match all taint keys.
3019
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3020
type: string
3021
operator:
3022
description: |-
3023
Operator represents a key's relationship to the value.
3024
Valid operators are Exists and Equal. Defaults to Equal.
3025
Exists is equivalent to wildcard for value, so that a pod can
3026
tolerate all taints of a particular category.
3027
type: string
3028
tolerationSeconds:
3029
description: |-
3030
TolerationSeconds represents the period of time the toleration (which must be
3031
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
3032
it is not set, which means tolerate the taint forever (do not evict). Zero and
3033
negative values will be treated as 0 (evict immediately) by the system.
3034
type: integer
3035
format: int64
3036
value:
3037
description: |-
3038
Value is the taint value the toleration matches to.
3039
If the operator is Exists, the value should be empty, otherwise just a regular string.
3040
type: string
3041
serviceType:
3042
description: |-
3043
Optional service type for Kubernetes solver service. Supported values
3044
are NodePort or ClusterIP. If unset, defaults to NodePort.
3045
type: string
3046
ingress:
3047
description: |-
3048
The ingress based HTTP01 challenge solver will solve challenges by
3049
creating or modifying Ingress resources in order to route requests for
3050
'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
3051
provisioned by cert-manager for each Challenge to be completed.
3052
type: object
3053
properties:
3054
class:
3055
description: |-
3056
This field configures the annotation `kubernetes.io/ingress.class` when
3057
creating Ingress resources to solve ACME challenges that use this
3058
challenge solver. Only one of `class`, `name` or `ingressClassName` may
3059
be specified.
3060
type: string
3061
ingressClassName:
3062
description: |-
3063
This field configures the field `ingressClassName` on the created Ingress
3064
resources used to solve ACME challenges that use this challenge solver.
3065
This is the recommended way of configuring the ingress class. Only one of
3066
`class`, `name` or `ingressClassName` may be specified.
3067
type: string
3068
ingressTemplate:
3069
description: |-
3070
Optional ingress template used to configure the ACME challenge solver
3071
ingress used for HTTP01 challenges.
3072
type: object
3073
properties:
3074
metadata:
3075
description: |-
3076
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
3077
Only the 'labels' and 'annotations' fields may be set.
3078
If labels or annotations overlap with in-built values, the values here
3079
will override the in-built values.
3080
type: object
3081
properties:
3082
annotations:
3083
description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3084
type: object
3085
additionalProperties:
3086
type: string
3087
labels:
3088
description: Labels that should be added to the created ACME HTTP01 solver ingress.
3089
type: object
3090
additionalProperties:
3091
type: string
3092
name:
3093
description: |-
3094
The name of the ingress resource that should have ACME challenge solving
3095
routes inserted into it in order to solve HTTP01 challenges.
3096
This is typically used in conjunction with ingress controllers like
3097
ingress-gce, which maintains a 1:1 mapping between external IPs and
3098
ingress resources. Only one of `class`, `name` or `ingressClassName` may
3099
be specified.
3100
type: string
3101
podTemplate:
3102
description: |-
3103
Optional pod template used to configure the ACME challenge solver pods
3104
used for HTTP01 challenges.
3105
type: object
3106
properties:
3107
metadata:
3108
description: |-
3109
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
3110
Only the 'labels' and 'annotations' fields may be set.
3111
If labels or annotations overlap with in-built values, the values here
3112
will override the in-built values.
3113
type: object
3114
properties:
3115
annotations:
3116
description: Annotations that should be added to the created ACME HTTP01 solver pods.
3117
type: object
3118
additionalProperties:
3119
type: string
3120
labels:
3121
description: Labels that should be added to the created ACME HTTP01 solver pods.
3122
type: object
3123
additionalProperties:
3124
type: string
3125
spec:
3126
description: |-
3127
PodSpec defines overrides for the HTTP01 challenge solver pod.
3128
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
3129
All other fields will be ignored.
3130
type: object
3131
properties:
3132
affinity:
3133
description: If specified, the pod's scheduling constraints
3134
type: object
3135
properties:
3136
nodeAffinity:
3137
description: Describes node affinity scheduling rules for the pod.
3138
type: object
3139
properties:
3140
preferredDuringSchedulingIgnoredDuringExecution:
3141
description: |-
3142
The scheduler will prefer to schedule pods to nodes that satisfy
3143
the affinity expressions specified by this field, but it may choose
3144
a node that violates one or more of the expressions. The node that is
3145
most preferred is the one with the greatest sum of weights, i.e.
3146
for each node that meets all of the scheduling requirements (resource
3147
request, requiredDuringScheduling affinity expressions, etc.),
3148
compute a sum by iterating through the elements of this field and adding
3149
"weight" to the sum if the node matches the corresponding matchExpressions; the
3150
node(s) with the highest sum are the most preferred.
3151
type: array
3152
items:
3153
description: |-
3154
An empty preferred scheduling term matches all objects with implicit weight 0
3155
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3156
type: object
3157
required:
3158
- preference
3159
- weight
3160
properties:
3161
preference:
3162
description: A node selector term, associated with the corresponding weight.
3163
type: object
3164
properties:
3165
matchExpressions:
3166
description: A list of node selector requirements by node's labels.
3167
type: array
3168
items:
3169
description: |-
3170
A node selector requirement is a selector that contains values, a key, and an operator
3171
that relates the key and values.
3172
type: object
3173
required:
3174
- key
3175
- operator
3176
properties:
3177
key:
3178
description: The label key that the selector applies to.
3179
type: string
3180
operator:
3181
description: |-
3182
Represents a key's relationship to a set of values.
3183
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3184
type: string
3185
values:
3186
description: |-
3187
An array of string values. If the operator is In or NotIn,
3188
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3189
the values array must be empty. If the operator is Gt or Lt, the values
3190
array must have a single element, which will be interpreted as an integer.
3191
This array is replaced during a strategic merge patch.
3192
type: array
3193
items:
3194
type: string
3195
x-kubernetes-list-type: atomic
3196
x-kubernetes-list-type: atomic
3197
matchFields:
3198
description: A list of node selector requirements by node's fields.
3199
type: array
3200
items:
3201
description: |-
3202
A node selector requirement is a selector that contains values, a key, and an operator
3203
that relates the key and values.
3204
type: object
3205
required:
3206
- key
3207
- operator
3208
properties:
3209
key:
3210
description: The label key that the selector applies to.
3211
type: string
3212
operator:
3213
description: |-
3214
Represents a key's relationship to a set of values.
3215
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3216
type: string
3217
values:
3218
description: |-
3219
An array of string values. If the operator is In or NotIn,
3220
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3221
the values array must be empty. If the operator is Gt or Lt, the values
3222
array must have a single element, which will be interpreted as an integer.
3223
This array is replaced during a strategic merge patch.
3224
type: array
3225
items:
3226
type: string
3227
x-kubernetes-list-type: atomic
3228
x-kubernetes-list-type: atomic
3229
x-kubernetes-map-type: atomic
3230
weight:
3231
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3232
type: integer
3233
format: int32
3234
x-kubernetes-list-type: atomic
3235
requiredDuringSchedulingIgnoredDuringExecution:
3236
description: |-
3237
If the affinity requirements specified by this field are not met at
3238
scheduling time, the pod will not be scheduled onto the node.
3239
If the affinity requirements specified by this field cease to be met
3240
at some point during pod execution (e.g. due to an update), the system
3241
may or may not try to eventually evict the pod from its node.
3242
type: object
3243
required:
3244
- nodeSelectorTerms
3245
properties:
3246
nodeSelectorTerms:
3247
description: Required. A list of node selector terms. The terms are ORed.
3248
type: array
3249
items:
3250
description: |-
3251
A null or empty node selector term matches no objects. The requirements of
3252
them are ANDed.
3253
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3254
type: object
3255
properties:
3256
matchExpressions:
3257
description: A list of node selector requirements by node's labels.
3258
type: array
3259
items:
3260
description: |-
3261
A node selector requirement is a selector that contains values, a key, and an operator
3262
that relates the key and values.
3263
type: object
3264
required:
3265
- key
3266
- operator
3267
properties:
3268
key:
3269
description: The label key that the selector applies to.
3270
type: string
3271
operator:
3272
description: |-
3273
Represents a key's relationship to a set of values.
3274
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3275
type: string
3276
values:
3277
description: |-
3278
An array of string values. If the operator is In or NotIn,
3279
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3280
the values array must be empty. If the operator is Gt or Lt, the values
3281
array must have a single element, which will be interpreted as an integer.
3282
This array is replaced during a strategic merge patch.
3283
type: array
3284
items:
3285
type: string
3286
x-kubernetes-list-type: atomic
3287
x-kubernetes-list-type: atomic
3288
matchFields:
3289
description: A list of node selector requirements by node's fields.
3290
type: array
3291
items:
3292
description: |-
3293
A node selector requirement is a selector that contains values, a key, and an operator
3294
that relates the key and values.
3295
type: object
3296
required:
3297
- key
3298
- operator
3299
properties:
3300
key:
3301
description: The label key that the selector applies to.
3302
type: string
3303
operator:
3304
description: |-
3305
Represents a key's relationship to a set of values.
3306
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3307
type: string
3308
values:
3309
description: |-
3310
An array of string values. If the operator is In or NotIn,
3311
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3312
the values array must be empty. If the operator is Gt or Lt, the values
3313
array must have a single element, which will be interpreted as an integer.
3314
This array is replaced during a strategic merge patch.
3315
type: array
3316
items:
3317
type: string
3318
x-kubernetes-list-type: atomic
3319
x-kubernetes-list-type: atomic
3320
x-kubernetes-map-type: atomic
3321
x-kubernetes-list-type: atomic
3322
x-kubernetes-map-type: atomic
3323
podAffinity:
3324
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3325
type: object
3326
properties:
3327
preferredDuringSchedulingIgnoredDuringExecution:
3328
description: |-
3329
The scheduler will prefer to schedule pods to nodes that satisfy
3330
the affinity expressions specified by this field, but it may choose
3331
a node that violates one or more of the expressions. The node that is
3332
most preferred is the one with the greatest sum of weights, i.e.
3333
for each node that meets all of the scheduling requirements (resource
3334
request, requiredDuringScheduling affinity expressions, etc.),
3335
compute a sum by iterating through the elements of this field and adding
3336
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
3337
node(s) with the highest sum are the most preferred.
3338
type: array
3339
items:
3340
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3341
type: object
3342
required:
3343
- podAffinityTerm
3344
- weight
3345
properties:
3346
podAffinityTerm:
3347
description: Required. A pod affinity term, associated with the corresponding weight.
3348
type: object
3349
required:
3350
- topologyKey
3351
properties:
3352
labelSelector:
3353
description: |-
3354
A label query over a set of resources, in this case pods.
3355
If it's null, this PodAffinityTerm matches with no Pods.
3356
type: object
3357
properties:
3358
matchExpressions:
3359
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3360
type: array
3361
items:
3362
description: |-
3363
A label selector requirement is a selector that contains values, a key, and an operator that
3364
relates the key and values.
3365
type: object
3366
required:
3367
- key
3368
- operator
3369
properties:
3370
key:
3371
description: key is the label key that the selector applies to.
3372
type: string
3373
operator:
3374
description: |-
3375
operator represents a key's relationship to a set of values.
3376
Valid operators are In, NotIn, Exists and DoesNotExist.
3377
type: string
3378
values:
3379
description: |-
3380
values is an array of string values. If the operator is In or NotIn,
3381
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3382
the values array must be empty. This array is replaced during a strategic
3383
merge patch.
3384
type: array
3385
items:
3386
type: string
3387
x-kubernetes-list-type: atomic
3388
x-kubernetes-list-type: atomic
3389
matchLabels:
3390
description: |-
3391
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3392
map is equivalent to an element of matchExpressions, whose key field is "key", the
3393
operator is "In", and the values array contains only "value". The requirements are ANDed.
3394
type: object
3395
additionalProperties:
3396
type: string
3397
x-kubernetes-map-type: atomic
3398
matchLabelKeys:
3399
description: |-
3400
MatchLabelKeys is a set of pod label keys to select which pods will
3401
be taken into consideration. The keys are used to lookup values from the
3402
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
3403
to select the group of existing pods which pods will be taken into consideration
3404
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3405
pod labels will be ignored. The default value is empty.
3406
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
3407
Also, matchLabelKeys cannot be set when labelSelector isn't set.
3408
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3409
type: array
3410
items:
3411
type: string
3412
x-kubernetes-list-type: atomic
3413
mismatchLabelKeys:
3414
description: |-
3415
MismatchLabelKeys is a set of pod label keys to select which pods will
3416
be taken into consideration. The keys are used to lookup values from the
3417
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
3418
to select the group of existing pods which pods will be taken into consideration
3419
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3420
pod labels will be ignored. The default value is empty.
3421
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
3422
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
3423
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3424
type: array
3425
items:
3426
type: string
3427
x-kubernetes-list-type: atomic
3428
namespaceSelector:
3429
description: |-
3430
A label query over the set of namespaces that the term applies to.
3431
The term is applied to the union of the namespaces selected by this field
3432
and the ones listed in the namespaces field.
3433
null selector and null or empty namespaces list means "this pod's namespace".
3434
An empty selector ({}) matches all namespaces.
3435
type: object
3436
properties:
3437
matchExpressions:
3438
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3439
type: array
3440
items:
3441
description: |-
3442
A label selector requirement is a selector that contains values, a key, and an operator that
3443
relates the key and values.
3444
type: object
3445
required:
3446
- key
3447
- operator
3448
properties:
3449
key:
3450
description: key is the label key that the selector applies to.
3451
type: string
3452
operator:
3453
description: |-
3454
operator represents a key's relationship to a set of values.
3455
Valid operators are In, NotIn, Exists and DoesNotExist.
3456
type: string
3457
values:
3458
description: |-
3459
values is an array of string values. If the operator is In or NotIn,
3460
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3461
the values array must be empty. This array is replaced during a strategic
3462
merge patch.
3463
type: array
3464
items:
3465
type: string
3466
x-kubernetes-list-type: atomic
3467
x-kubernetes-list-type: atomic
3468
matchLabels:
3469
description: |-
3470
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3471
map is equivalent to an element of matchExpressions, whose key field is "key", the
3472
operator is "In", and the values array contains only "value". The requirements are ANDed.
3473
type: object
3474
additionalProperties:
3475
type: string
3476
x-kubernetes-map-type: atomic
3477
namespaces:
3478
description: |-
3479
namespaces specifies a static list of namespace names that the term applies to.
3480
The term is applied to the union of the namespaces listed in this field
3481
and the ones selected by namespaceSelector.
3482
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3483
type: array
3484
items:
3485
type: string
3486
x-kubernetes-list-type: atomic
3487
topologyKey:
3488
description: |-
3489
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
3490
the labelSelector in the specified namespaces, where co-located is defined as running on a node
3491
whose value of the label with key topologyKey matches that of any node on which any of the
3492
selected pods is running.
3493
Empty topologyKey is not allowed.
3494
type: string
3495
weight:
3496
description: |-
3497
weight associated with matching the corresponding podAffinityTerm,
3498
in the range 1-100.
3499
type: integer
3500
format: int32
3501
x-kubernetes-list-type: atomic
3502
requiredDuringSchedulingIgnoredDuringExecution:
3503
description: |-
3504
If the affinity requirements specified by this field are not met at
3505
scheduling time, the pod will not be scheduled onto the node.
3506
If the affinity requirements specified by this field cease to be met
3507
at some point during pod execution (e.g. due to a pod label update), the
3508
system may or may not try to eventually evict the pod from its node.
3509
When there are multiple elements, the lists of nodes corresponding to each
3510
podAffinityTerm are intersected, i.e. all terms must be satisfied.
3511
type: array
3512
items:
3513
description: |-
3514
Defines a set of pods (namely those matching the labelSelector
3515
relative to the given namespace(s)) that this pod should be
3516
co-located (affinity) or not co-located (anti-affinity) with,
3517
where co-located is defined as running on a node whose value of
3518
the label with key matches that of any node on which
3519
a pod of the set of pods is running
3520
type: object
3521
required:
3522
- topologyKey
3523
properties:
3524
labelSelector:
3525
description: |-
3526
A label query over a set of resources, in this case pods.
3527
If it's null, this PodAffinityTerm matches with no Pods.
3528
type: object
3529
properties:
3530
matchExpressions:
3531
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3532
type: array
3533
items:
3534
description: |-
3535
A label selector requirement is a selector that contains values, a key, and an operator that
3536
relates the key and values.
3537
type: object
3538
required:
3539
- key
3540
- operator
3541
properties:
3542
key:
3543
description: key is the label key that the selector applies to.
3544
type: string
3545
operator:
3546
description: |-
3547
operator represents a key's relationship to a set of values.
3548
Valid operators are In, NotIn, Exists and DoesNotExist.
3549
type: string
3550
values:
3551
description: |-
3552
values is an array of string values. If the operator is In or NotIn,
3553
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3554
the values array must be empty. This array is replaced during a strategic
3555
merge patch.
3556
type: array
3557
items:
3558
type: string
3559
x-kubernetes-list-type: atomic
3560
x-kubernetes-list-type: atomic
3561
matchLabels:
3562
description: |-
3563
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3564
map is equivalent to an element of matchExpressions, whose key field is "key", the
3565
operator is "In", and the values array contains only "value". The requirements are ANDed.
3566
type: object
3567
additionalProperties:
3568
type: string
3569
x-kubernetes-map-type: atomic
3570
matchLabelKeys:
3571
description: |-
3572
MatchLabelKeys is a set of pod label keys to select which pods will
3573
be taken into consideration. The keys are used to lookup values from the
3574
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
3575
to select the group of existing pods which pods will be taken into consideration
3576
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3577
pod labels will be ignored. The default value is empty.
3578
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
3579
Also, matchLabelKeys cannot be set when labelSelector isn't set.
3580
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3581
type: array
3582
items:
3583
type: string
3584
x-kubernetes-list-type: atomic
3585
mismatchLabelKeys:
3586
description: |-
3587
MismatchLabelKeys is a set of pod label keys to select which pods will
3588
be taken into consideration. The keys are used to lookup values from the
3589
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
3590
to select the group of existing pods which pods will be taken into consideration
3591
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3592
pod labels will be ignored. The default value is empty.
3593
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
3594
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
3595
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3596
type: array
3597
items:
3598
type: string
3599
x-kubernetes-list-type: atomic
3600
namespaceSelector:
3601
description: |-
3602
A label query over the set of namespaces that the term applies to.
3603
The term is applied to the union of the namespaces selected by this field
3604
and the ones listed in the namespaces field.
3605
null selector and null or empty namespaces list means "this pod's namespace".
3606
An empty selector ({}) matches all namespaces.
3607
type: object
3608
properties:
3609
matchExpressions:
3610
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3611
type: array
3612
items:
3613
description: |-
3614
A label selector requirement is a selector that contains values, a key, and an operator that
3615
relates the key and values.
3616
type: object
3617
required:
3618
- key
3619
- operator
3620
properties:
3621
key:
3622
description: key is the label key that the selector applies to.
3623
type: string
3624
operator:
3625
description: |-
3626
operator represents a key's relationship to a set of values.
3627
Valid operators are In, NotIn, Exists and DoesNotExist.
3628
type: string
3629
values:
3630
description: |-
3631
values is an array of string values. If the operator is In or NotIn,
3632
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3633
the values array must be empty. This array is replaced during a strategic
3634
merge patch.
3635
type: array
3636
items:
3637
type: string
3638
x-kubernetes-list-type: atomic
3639
x-kubernetes-list-type: atomic
3640
matchLabels:
3641
description: |-
3642
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3643
map is equivalent to an element of matchExpressions, whose key field is "key", the
3644
operator is "In", and the values array contains only "value". The requirements are ANDed.
3645
type: object
3646
additionalProperties:
3647
type: string
3648
x-kubernetes-map-type: atomic
3649
namespaces:
3650
description: |-
3651
namespaces specifies a static list of namespace names that the term applies to.
3652
The term is applied to the union of the namespaces listed in this field
3653
and the ones selected by namespaceSelector.
3654
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3655
type: array
3656
items:
3657
type: string
3658
x-kubernetes-list-type: atomic
3659
topologyKey:
3660
description: |-
3661
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
3662
the labelSelector in the specified namespaces, where co-located is defined as running on a node
3663
whose value of the label with key topologyKey matches that of any node on which any of the
3664
selected pods is running.
3665
Empty topologyKey is not allowed.
3666
type: string
3667
x-kubernetes-list-type: atomic
3668
podAntiAffinity:
3669
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3670
type: object
3671
properties:
3672
preferredDuringSchedulingIgnoredDuringExecution:
3673
description: |-
3674
The scheduler will prefer to schedule pods to nodes that satisfy
3675
the anti-affinity expressions specified by this field, but it may choose
3676
a node that violates one or more of the expressions. The node that is
3677
most preferred is the one with the greatest sum of weights, i.e.
3678
for each node that meets all of the scheduling requirements (resource
3679
request, requiredDuringScheduling anti-affinity expressions, etc.),
3680
compute a sum by iterating through the elements of this field and adding
3681
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
3682
node(s) with the highest sum are the most preferred.
3683
type: array
3684
items:
3685
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3686
type: object
3687
required:
3688
- podAffinityTerm
3689
- weight
3690
properties:
3691
podAffinityTerm:
3692
description: Required. A pod affinity term, associated with the corresponding weight.
3693
type: object
3694
required:
3695
- topologyKey
3696
properties:
3697
labelSelector:
3698
description: |-
3699
A label query over a set of resources, in this case pods.
3700
If it's null, this PodAffinityTerm matches with no Pods.
3701
type: object
3702
properties:
3703
matchExpressions:
3704
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3705
type: array
3706
items:
3707
description: |-
3708
A label selector requirement is a selector that contains values, a key, and an operator that
3709
relates the key and values.
3710
type: object
3711
required:
3712
- key
3713
- operator
3714
properties:
3715
key:
3716
description: key is the label key that the selector applies to.
3717
type: string
3718
operator:
3719
description: |-
3720
operator represents a key's relationship to a set of values.
3721
Valid operators are In, NotIn, Exists and DoesNotExist.
3722
type: string
3723
values:
3724
description: |-
3725
values is an array of string values. If the operator is In or NotIn,
3726
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3727
the values array must be empty. This array is replaced during a strategic
3728
merge patch.
3729
type: array
3730
items:
3731
type: string
3732
x-kubernetes-list-type: atomic
3733
x-kubernetes-list-type: atomic
3734
matchLabels:
3735
description: |-
3736
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3737
map is equivalent to an element of matchExpressions, whose key field is "key", the
3738
operator is "In", and the values array contains only "value". The requirements are ANDed.
3739
type: object
3740
additionalProperties:
3741
type: string
3742
x-kubernetes-map-type: atomic
3743
matchLabelKeys:
3744
description: |-
3745
MatchLabelKeys is a set of pod label keys to select which pods will
3746
be taken into consideration. The keys are used to lookup values from the
3747
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
3748
to select the group of existing pods which pods will be taken into consideration
3749
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3750
pod labels will be ignored. The default value is empty.
3751
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
3752
Also, matchLabelKeys cannot be set when labelSelector isn't set.
3753
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3754
type: array
3755
items:
3756
type: string
3757
x-kubernetes-list-type: atomic
3758
mismatchLabelKeys:
3759
description: |-
3760
MismatchLabelKeys is a set of pod label keys to select which pods will
3761
be taken into consideration. The keys are used to lookup values from the
3762
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
3763
to select the group of existing pods which pods will be taken into consideration
3764
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3765
pod labels will be ignored. The default value is empty.
3766
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
3767
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
3768
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3769
type: array
3770
items:
3771
type: string
3772
x-kubernetes-list-type: atomic
3773
namespaceSelector:
3774
description: |-
3775
A label query over the set of namespaces that the term applies to.
3776
The term is applied to the union of the namespaces selected by this field
3777
and the ones listed in the namespaces field.
3778
null selector and null or empty namespaces list means "this pod's namespace".
3779
An empty selector ({}) matches all namespaces.
3780
type: object
3781
properties:
3782
matchExpressions:
3783
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3784
type: array
3785
items:
3786
description: |-
3787
A label selector requirement is a selector that contains values, a key, and an operator that
3788
relates the key and values.
3789
type: object
3790
required:
3791
- key
3792
- operator
3793
properties:
3794
key:
3795
description: key is the label key that the selector applies to.
3796
type: string
3797
operator:
3798
description: |-
3799
operator represents a key's relationship to a set of values.
3800
Valid operators are In, NotIn, Exists and DoesNotExist.
3801
type: string
3802
values:
3803
description: |-
3804
values is an array of string values. If the operator is In or NotIn,
3805
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3806
the values array must be empty. This array is replaced during a strategic
3807
merge patch.
3808
type: array
3809
items:
3810
type: string
3811
x-kubernetes-list-type: atomic
3812
x-kubernetes-list-type: atomic
3813
matchLabels:
3814
description: |-
3815
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3816
map is equivalent to an element of matchExpressions, whose key field is "key", the
3817
operator is "In", and the values array contains only "value". The requirements are ANDed.
3818
type: object
3819
additionalProperties:
3820
type: string
3821
x-kubernetes-map-type: atomic
3822
namespaces:
3823
description: |-
3824
namespaces specifies a static list of namespace names that the term applies to.
3825
The term is applied to the union of the namespaces listed in this field
3826
and the ones selected by namespaceSelector.
3827
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3828
type: array
3829
items:
3830
type: string
3831
x-kubernetes-list-type: atomic
3832
topologyKey:
3833
description: |-
3834
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
3835
the labelSelector in the specified namespaces, where co-located is defined as running on a node
3836
whose value of the label with key topologyKey matches that of any node on which any of the
3837
selected pods is running.
3838
Empty topologyKey is not allowed.
3839
type: string
3840
weight:
3841
description: |-
3842
weight associated with matching the corresponding podAffinityTerm,
3843
in the range 1-100.
3844
type: integer
3845
format: int32
3846
x-kubernetes-list-type: atomic
3847
requiredDuringSchedulingIgnoredDuringExecution:
3848
description: |-
3849
If the anti-affinity requirements specified by this field are not met at
3850
scheduling time, the pod will not be scheduled onto the node.
3851
If the anti-affinity requirements specified by this field cease to be met
3852
at some point during pod execution (e.g. due to a pod label update), the
3853
system may or may not try to eventually evict the pod from its node.
3854
When there are multiple elements, the lists of nodes corresponding to each
3855
podAffinityTerm are intersected, i.e. all terms must be satisfied.
3856
type: array
3857
items:
3858
description: |-
3859
Defines a set of pods (namely those matching the labelSelector
3860
relative to the given namespace(s)) that this pod should be
3861
co-located (affinity) or not co-located (anti-affinity) with,
3862
where co-located is defined as running on a node whose value of
3863
the label with key matches that of any node on which
3864
a pod of the set of pods is running
3865
type: object
3866
required:
3867
- topologyKey
3868
properties:
3869
labelSelector:
3870
description: |-
3871
A label query over a set of resources, in this case pods.
3872
If it's null, this PodAffinityTerm matches with no Pods.
3873
type: object
3874
properties:
3875
matchExpressions:
3876
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3877
type: array
3878
items:
3879
description: |-
3880
A label selector requirement is a selector that contains values, a key, and an operator that
3881
relates the key and values.
3882
type: object
3883
required:
3884
- key
3885
- operator
3886
properties:
3887
key:
3888
description: key is the label key that the selector applies to.
3889
type: string
3890
operator:
3891
description: |-
3892
operator represents a key's relationship to a set of values.
3893
Valid operators are In, NotIn, Exists and DoesNotExist.
3894
type: string
3895
values:
3896
description: |-
3897
values is an array of string values. If the operator is In or NotIn,
3898
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3899
the values array must be empty. This array is replaced during a strategic
3900
merge patch.
3901
type: array
3902
items:
3903
type: string
3904
x-kubernetes-list-type: atomic
3905
x-kubernetes-list-type: atomic
3906
matchLabels:
3907
description: |-
3908
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3909
map is equivalent to an element of matchExpressions, whose key field is "key", the
3910
operator is "In", and the values array contains only "value". The requirements are ANDed.
3911
type: object
3912
additionalProperties:
3913
type: string
3914
x-kubernetes-map-type: atomic
3915
matchLabelKeys:
3916
description: |-
3917
MatchLabelKeys is a set of pod label keys to select which pods will
3918
be taken into consideration. The keys are used to lookup values from the
3919
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
3920
to select the group of existing pods which pods will be taken into consideration
3921
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3922
pod labels will be ignored. The default value is empty.
3923
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
3924
Also, matchLabelKeys cannot be set when labelSelector isn't set.
3925
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3926
type: array
3927
items:
3928
type: string
3929
x-kubernetes-list-type: atomic
3930
mismatchLabelKeys:
3931
description: |-
3932
MismatchLabelKeys is a set of pod label keys to select which pods will
3933
be taken into consideration. The keys are used to lookup values from the
3934
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
3935
to select the group of existing pods which pods will be taken into consideration
3936
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
3937
pod labels will be ignored. The default value is empty.
3938
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
3939
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
3940
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
3941
type: array
3942
items:
3943
type: string
3944
x-kubernetes-list-type: atomic
3945
namespaceSelector:
3946
description: |-
3947
A label query over the set of namespaces that the term applies to.
3948
The term is applied to the union of the namespaces selected by this field
3949
and the ones listed in the namespaces field.
3950
null selector and null or empty namespaces list means "this pod's namespace".
3951
An empty selector ({}) matches all namespaces.
3952
type: object
3953
properties:
3954
matchExpressions:
3955
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3956
type: array
3957
items:
3958
description: |-
3959
A label selector requirement is a selector that contains values, a key, and an operator that
3960
relates the key and values.
3961
type: object
3962
required:
3963
- key
3964
- operator
3965
properties:
3966
key:
3967
description: key is the label key that the selector applies to.
3968
type: string
3969
operator:
3970
description: |-
3971
operator represents a key's relationship to a set of values.
3972
Valid operators are In, NotIn, Exists and DoesNotExist.
3973
type: string
3974
values:
3975
description: |-
3976
values is an array of string values. If the operator is In or NotIn,
3977
the values array must be non-empty. If the operator is Exists or DoesNotExist,
3978
the values array must be empty. This array is replaced during a strategic
3979
merge patch.
3980
type: array
3981
items:
3982
type: string
3983
x-kubernetes-list-type: atomic
3984
x-kubernetes-list-type: atomic
3985
matchLabels:
3986
description: |-
3987
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
3988
map is equivalent to an element of matchExpressions, whose key field is "key", the
3989
operator is "In", and the values array contains only "value". The requirements are ANDed.
3990
type: object
3991
additionalProperties:
3992
type: string
3993
x-kubernetes-map-type: atomic
3994
namespaces:
3995
description: |-
3996
namespaces specifies a static list of namespace names that the term applies to.
3997
The term is applied to the union of the namespaces listed in this field
3998
and the ones selected by namespaceSelector.
3999
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
4000
type: array
4001
items:
4002
type: string
4003
x-kubernetes-list-type: atomic
4004
topologyKey:
4005
description: |-
4006
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
4007
the labelSelector in the specified namespaces, where co-located is defined as running on a node
4008
whose value of the label with key topologyKey matches that of any node on which any of the
4009
selected pods is running.
4010
Empty topologyKey is not allowed.
4011
type: string
4012
x-kubernetes-list-type: atomic
4013
imagePullSecrets:
4014
description: If specified, the pod's imagePullSecrets
4015
type: array
4016
items:
4017
description: |-
4018
LocalObjectReference contains enough information to let you locate the
4019
referenced object inside the same namespace.
4020
type: object
4021
properties:
4022
name:
4023
description: |-
4024
Name of the referent.
4025
This field is effectively required, but due to backwards compatibility is
4026
allowed to be empty. Instances of this type with an empty value here are
4027
almost certainly wrong.
4028
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4029
type: string
4030
default: ""
4031
x-kubernetes-map-type: atomic
4032
nodeSelector:
4033
description: |-
4034
NodeSelector is a selector which must be true for the pod to fit on a node.
4035
Selector which must match a node's labels for the pod to be scheduled on that node.
4036
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
4037
type: object
4038
additionalProperties:
4039
type: string
4040
priorityClassName:
4041
description: If specified, the pod's priorityClassName.
4042
type: string
4043
securityContext:
4044
description: If specified, the pod's security context
4045
type: object
4046
properties:
4047
fsGroup:
4048
description: |-
4049
A special supplemental group that applies to all containers in a pod.
4050
Some volume types allow the Kubelet to change the ownership of that volume
4051
to be owned by the pod:
4052
4053
1. The owning GID will be the FSGroup
4054
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
4055
3. The permission bits are OR'd with rw-rw----
4056
4057
If unset, the Kubelet will not modify the ownership and permissions of any volume.
4058
Note that this field cannot be set when spec.os.name is windows.
4059
type: integer
4060
format: int64
4061
fsGroupChangePolicy:
4062
description: |-
4063
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
4064
before being exposed inside Pod. This field will only apply to
4065
volume types which support fsGroup based ownership(and permissions).
4066
It will have no effect on ephemeral volume types such as: secret, configmaps
4067
and emptydir.
4068
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
4069
Note that this field cannot be set when spec.os.name is windows.
4070
type: string
4071
runAsGroup:
4072
description: |-
4073
The GID to run the entrypoint of the container process.
4074
Uses runtime default if unset.
4075
May also be set in SecurityContext. If set in both SecurityContext and
4076
PodSecurityContext, the value specified in SecurityContext takes precedence
4077
for that container.
4078
Note that this field cannot be set when spec.os.name is windows.
4079
type: integer
4080
format: int64
4081
runAsNonRoot:
4082
description: |-
4083
Indicates that the container must run as a non-root user.
4084
If true, the Kubelet will validate the image at runtime to ensure that it
4085
does not run as UID 0 (root) and fail to start the container if it does.
4086
If unset or false, no such validation will be performed.
4087
May also be set in SecurityContext. If set in both SecurityContext and
4088
PodSecurityContext, the value specified in SecurityContext takes precedence.
4089
type: boolean
4090
runAsUser:
4091
description: |-
4092
The UID to run the entrypoint of the container process.
4093
Defaults to user specified in image metadata if unspecified.
4094
May also be set in SecurityContext. If set in both SecurityContext and
4095
PodSecurityContext, the value specified in SecurityContext takes precedence
4096
for that container.
4097
Note that this field cannot be set when spec.os.name is windows.
4098
type: integer
4099
format: int64
4100
seLinuxOptions:
4101
description: |-
4102
The SELinux context to be applied to all containers.
4103
If unspecified, the container runtime will allocate a random SELinux context for each
4104
container. May also be set in SecurityContext. If set in
4105
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
4106
takes precedence for that container.
4107
Note that this field cannot be set when spec.os.name is windows.
4108
type: object
4109
properties:
4110
level:
4111
description: Level is SELinux level label that applies to the container.
4112
type: string
4113
role:
4114
description: Role is a SELinux role label that applies to the container.
4115
type: string
4116
type:
4117
description: Type is a SELinux type label that applies to the container.
4118
type: string
4119
user:
4120
description: User is a SELinux user label that applies to the container.
4121
type: string
4122
seccompProfile:
4123
description: |-
4124
The seccomp options to use by the containers in this pod.
4125
Note that this field cannot be set when spec.os.name is windows.
4126
type: object
4127
required:
4128
- type
4129
properties:
4130
localhostProfile:
4131
description: |-
4132
localhostProfile indicates a profile defined in a file on the node should be used.
4133
The profile must be preconfigured on the node to work.
4134
Must be a descending path, relative to the kubelet's configured seccomp profile location.
4135
Must be set if type is "Localhost". Must NOT be set for any other type.
4136
type: string
4137
type:
4138
description: |-
4139
type indicates which kind of seccomp profile will be applied.
4140
Valid options are:
4141
4142
Localhost - a profile defined in a file on the node should be used.
4143
RuntimeDefault - the container runtime default profile should be used.
4144
Unconfined - no profile should be applied.
4145
type: string
4146
supplementalGroups:
4147
description: |-
4148
A list of groups applied to the first process run in each container, in addition
4149
to the container's primary GID, the fsGroup (if specified), and group memberships
4150
defined in the container image for the uid of the container process. If unspecified,
4151
no additional groups are added to any container. Note that group memberships
4152
defined in the container image for the uid of the container process are still effective,
4153
even if they are not included in this list.
4154
Note that this field cannot be set when spec.os.name is windows.
4155
type: array
4156
items:
4157
type: integer
4158
format: int64
4159
sysctls:
4160
description: |-
4161
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
4162
sysctls (by the container runtime) might fail to launch.
4163
Note that this field cannot be set when spec.os.name is windows.
4164
type: array
4165
items:
4166
description: Sysctl defines a kernel parameter to be set
4167
type: object
4168
required:
4169
- name
4170
- value
4171
properties:
4172
name:
4173
description: Name of a property to set
4174
type: string
4175
value:
4176
description: Value of a property to set
4177
type: string
4178
serviceAccountName:
4179
description: If specified, the pod's service account
4180
type: string
4181
tolerations:
4182
description: If specified, the pod's tolerations.
4183
type: array
4184
items:
4185
description: |-
4186
The pod this Toleration is attached to tolerates any taint that matches
4187
the triple using the matching operator .
4188
type: object
4189
properties:
4190
effect:
4191
description: |-
4192
Effect indicates the taint effect to match. Empty means match all taint effects.
4193
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4194
type: string
4195
key:
4196
description: |-
4197
Key is the taint key that the toleration applies to. Empty means match all taint keys.
4198
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4199
type: string
4200
operator:
4201
description: |-
4202
Operator represents a key's relationship to the value.
4203
Valid operators are Exists and Equal. Defaults to Equal.
4204
Exists is equivalent to wildcard for value, so that a pod can
4205
tolerate all taints of a particular category.
4206
type: string
4207
tolerationSeconds:
4208
description: |-
4209
TolerationSeconds represents the period of time the toleration (which must be
4210
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
4211
it is not set, which means tolerate the taint forever (do not evict). Zero and
4212
negative values will be treated as 0 (evict immediately) by the system.
4213
type: integer
4214
format: int64
4215
value:
4216
description: |-
4217
Value is the taint value the toleration matches to.
4218
If the operator is Exists, the value should be empty, otherwise just a regular string.
4219
type: string
4220
serviceType:
4221
description: |-
4222
Optional service type for Kubernetes solver service. Supported values
4223
are NodePort or ClusterIP. If unset, defaults to NodePort.
4224
type: string
4225
selector:
4226
description: |-
4227
Selector selects a set of DNSNames on the Certificate resource that
4228
should be solved using this challenge solver.
4229
If not specified, the solver will be treated as the 'default' solver
4230
with the lowest priority, i.e. if any other solver has a more specific
4231
match, it will be used instead.
4232
type: object
4233
properties:
4234
dnsNames:
4235
description: |-
4236
List of DNSNames that this solver will be used to solve.
4237
If specified and a match is found, a dnsNames selector will take
4238
precedence over a dnsZones selector.
4239
If multiple solvers match with the same dnsNames value, the solver
4240
with the most matching labels in matchLabels will be selected.
4241
If neither has more matches, the solver defined earlier in the list
4242
will be selected.
4243
type: array
4244
items:
4245
type: string
4246
dnsZones:
4247
description: |-
4248
List of DNSZones that this solver will be used to solve.
4249
The most specific DNS zone match specified here will take precedence
4250
over other DNS zone matches, so a solver specifying sys.example.com
4251
will be selected over one specifying example.com for the domain
4252
www.sys.example.com.
4253
If multiple solvers match with the same dnsZones value, the solver
4254
with the most matching labels in matchLabels will be selected.
4255
If neither has more matches, the solver defined earlier in the list
4256
will be selected.
4257
type: array
4258
items:
4259
type: string
4260
matchLabels:
4261
description: |-
4262
A label selector that is used to refine the set of certificate's that
4263
this challenge solver will apply to.
4264
type: object
4265
additionalProperties:
4266
type: string
4267
token:
4268
description: |-
4269
The ACME challenge token for this challenge.
4270
This is the raw value returned from the ACME server.
4271
type: string
4272
type:
4273
description: |-
4274
The type of ACME challenge this resource represents.
4275
One of "HTTP-01" or "DNS-01".
4276
type: string
4277
enum:
4278
- HTTP-01
4279
- DNS-01
4280
url:
4281
description: |-
4282
The URL of the ACME Challenge resource for this challenge.
4283
This can be used to lookup details about the status of this challenge.
4284
type: string
4285
wildcard:
4286
description: |-
4287
wildcard will be true if this challenge is for a wildcard identifier,
4288
for example '*.example.com'.
4289
type: boolean
4290
status:
4291
type: object
4292
properties:
4293
presented:
4294
description: |-
4295
presented will be set to true if the challenge values for this challenge
4296
are currently 'presented'.
4297
This *does not* imply the self check is passing. Only that the values
4298
have been 'submitted' for the appropriate challenge mechanism (i.e. the
4299
DNS01 TXT record has been presented, or the HTTP01 configuration has been
4300
configured).
4301
type: boolean
4302
processing:
4303
description: |-
4304
Used to denote whether this challenge should be processed or not.
4305
This field will only be set to true by the 'scheduling' component.
4306
It will only be set to false by the 'challenges' controller, after the
4307
challenge has reached a final state or timed out.
4308
If this field is set to false, the challenge controller will not take
4309
any more action.
4310
type: boolean
4311
reason:
4312
description: |-
4313
Contains human readable information on why the Challenge is in the
4314
current state.
4315
type: string
4316
state:
4317
description: |-
4318
Contains the current 'state' of the challenge.
4319
If not set, the state of the challenge is unknown.
4320
type: string
4321
enum:
4322
- valid
4323
- ready
4324
- pending
4325
- processing
4326
- invalid
4327
- expired
4328
- errored
4329
served: true
4330
storage: true
4331
subresources:
4332
status: {}
4333
4334
# END crd
4335
---
4336
# Source: cert-manager/templates/crds.yaml
4337
# START crd
4338
apiVersion: apiextensions.k8s.io/v1
4339
kind: CustomResourceDefinition
4340
metadata:
4341
name: clusterissuers.cert-manager.io
4342
# START annotations
4343
annotations:
4344
helm.sh/resource-policy: keep
4345
# END annotations
4346
labels:
4347
app: 'cert-manager'
4348
app.kubernetes.io/name: 'cert-manager'
4349
app.kubernetes.io/instance: 'cert-manager'
4350
# Generated labels
4351
app.kubernetes.io/version: "v1.17.0"
4352
spec:
4353
group: cert-manager.io
4354
names:
4355
kind: ClusterIssuer
4356
listKind: ClusterIssuerList
4357
plural: clusterissuers
4358
singular: clusterissuer
4359
categories:
4360
- cert-manager
4361
scope: Cluster
4362
versions:
4363
- name: v1
4364
subresources:
4365
status: {}
4366
additionalPrinterColumns:
4367
- jsonPath: .status.conditions[?(@.type=="Ready")].status
4368
name: Ready
4369
type: string
4370
- jsonPath: .status.conditions[?(@.type=="Ready")].message
4371
name: Status
4372
priority: 1
4373
type: string
4374
- jsonPath: .metadata.creationTimestamp
4375
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4376
name: Age
4377
type: date
4378
schema:
4379
openAPIV3Schema:
4380
description: |-
4381
A ClusterIssuer represents a certificate issuing authority which can be
4382
referenced as part of `issuerRef` fields.
4383
It is similar to an Issuer, however it is cluster-scoped and therefore can
4384
be referenced by resources that exist in *any* namespace, not just the same
4385
namespace as the referent.
4386
type: object
4387
required:
4388
- spec
4389
properties:
4390
apiVersion:
4391
description: |-
4392
APIVersion defines the versioned schema of this representation of an object.
4393
Servers should convert recognized schemas to the latest internal value, and
4394
may reject unrecognized values.
4395
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
4396
type: string
4397
kind:
4398
description: |-
4399
Kind is a string value representing the REST resource this object represents.
4400
Servers may infer this from the endpoint the client submits requests to.
4401
Cannot be updated.
4402
In CamelCase.
4403
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
4404
type: string
4405
metadata:
4406
type: object
4407
spec:
4408
description: Desired state of the ClusterIssuer resource.
4409
type: object
4410
properties:
4411
acme:
4412
description: |-
4413
ACME configures this issuer to communicate with a RFC8555 (ACME) server
4414
to obtain signed x509 certificates.
4415
type: object
4416
required:
4417
- privateKeySecretRef
4418
- server
4419
properties:
4420
caBundle:
4421
description: |-
4422
Base64-encoded bundle of PEM CAs which can be used to validate the certificate
4423
chain presented by the ACME server.
4424
Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
4425
kinds of security vulnerabilities.
4426
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
4427
the container is used to validate the TLS connection.
4428
type: string
4429
format: byte
4430
disableAccountKeyGeneration:
4431
description: |-
4432
Enables or disables generating a new ACME account key.
4433
If true, the Issuer resource will *not* request a new account but will expect
4434
the account key to be supplied via an existing secret.
4435
If false, the cert-manager system will generate a new ACME account key
4436
for the Issuer.
4437
Defaults to false.
4438
type: boolean
4439
email:
4440
description: |-
4441
Email is the email address to be associated with the ACME account.
4442
This field is optional, but it is strongly recommended to be set.
4443
It will be used to contact you in case of issues with your account or
4444
certificates, including expiry notification emails.
4445
This field may be updated after the account is initially registered.
4446
type: string
4447
enableDurationFeature:
4448
description: |-
4449
Enables requesting a Not After date on certificates that matches the
4450
duration of the certificate. This is not supported by all ACME servers
4451
like Let's Encrypt. If set to true when the ACME server does not support
4452
it, it will create an error on the Order.
4453
Defaults to false.
4454
type: boolean
4455
externalAccountBinding:
4456
description: |-
4457
ExternalAccountBinding is a reference to a CA external account of the ACME
4458
server.
4459
If set, upon registration cert-manager will attempt to associate the given
4460
external account credentials with the registered ACME account.
4461
type: object
4462
required:
4463
- keyID
4464
- keySecretRef
4465
properties:
4466
keyAlgorithm:
4467
description: |-
4468
Deprecated: keyAlgorithm field exists for historical compatibility
4469
reasons and should not be used. The algorithm is now hardcoded to HS256
4470
in golang/x/crypto/acme.
4471
type: string
4472
enum:
4473
- HS256
4474
- HS384
4475
- HS512
4476
keyID:
4477
description: keyID is the ID of the CA key that the External Account is bound to.
4478
type: string
4479
keySecretRef:
4480
description: |-
4481
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
4482
Secret which holds the symmetric MAC key of the External Account Binding.
4483
The `key` is the index string that is paired with the key data in the
4484
Secret and should not be confused with the key data itself, or indeed with
4485
the External Account Binding keyID above.
4486
The secret key stored in the Secret **must** be un-padded, base64 URL
4487
encoded data.
4488
type: object
4489
required:
4490
- name
4491
properties:
4492
key:
4493
description: |-
4494
The key of the entry in the Secret resource's `data` field to be used.
4495
Some instances of this field may be defaulted, in others it may be
4496
required.
4497
type: string
4498
name:
4499
description: |-
4500
Name of the resource being referred to.
4501
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4502
type: string
4503
preferredChain:
4504
description: |-
4505
PreferredChain is the chain to use if the ACME server outputs multiple.
4506
PreferredChain is no guarantee that this one gets delivered by the ACME
4507
endpoint.
4508
For example, for Let's Encrypt's DST crosssign you would use:
4509
"DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
4510
This value picks the first certificate bundle in the combined set of
4511
ACME default and alternative chains that has a root-most certificate with
4512
this value as its issuer's commonname.
4513
type: string
4514
maxLength: 64
4515
privateKeySecretRef:
4516
description: |-
4517
PrivateKey is the name of a Kubernetes Secret resource that will be used to
4518
store the automatically generated ACME account private key.
4519
Optionally, a `key` may be specified to select a specific entry within
4520
the named Secret resource.
4521
If `key` is not specified, a default of `tls.key` will be used.
4522
type: object
4523
required:
4524
- name
4525
properties:
4526
key:
4527
description: |-
4528
The key of the entry in the Secret resource's `data` field to be used.
4529
Some instances of this field may be defaulted, in others it may be
4530
required.
4531
type: string
4532
name:
4533
description: |-
4534
Name of the resource being referred to.
4535
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4536
type: string
4537
server:
4538
description: |-
4539
Server is the URL used to access the ACME server's 'directory' endpoint.
4540
For example, for Let's Encrypt's staging endpoint, you would use:
4541
"https://acme-staging-v02.api.letsencrypt.org/directory".
4542
Only ACME v2 endpoints (i.e. RFC 8555) are supported.
4543
type: string
4544
skipTLSVerify:
4545
description: |-
4546
INSECURE: Enables or disables validation of the ACME server TLS certificate.
4547
If true, requests to the ACME server will not have the TLS certificate chain
4548
validated.
4549
Mutually exclusive with CABundle; prefer using CABundle to prevent various
4550
kinds of security vulnerabilities.
4551
Only enable this option in development environments.
4552
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
4553
the container is used to validate the TLS connection.
4554
Defaults to false.
4555
type: boolean
4556
solvers:
4557
description: |-
4558
Solvers is a list of challenge solvers that will be used to solve
4559
ACME challenges for the matching domains.
4560
Solver configurations must be provided in order to obtain certificates
4561
from an ACME server.
4562
For more information, see: https://cert-manager.io/docs/configuration/acme/
4563
type: array
4564
items:
4565
description: |-
4566
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
4567
A selector may be provided to use different solving strategies for different DNS names.
4568
Only one of HTTP01 or DNS01 must be provided.
4569
type: object
4570
properties:
4571
dns01:
4572
description: |-
4573
Configures cert-manager to attempt to complete authorizations by
4574
performing the DNS01 challenge flow.
4575
type: object
4576
properties:
4577
acmeDNS:
4578
description: |-
4579
Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
4580
DNS01 challenge records.
4581
type: object
4582
required:
4583
- accountSecretRef
4584
- host
4585
properties:
4586
accountSecretRef:
4587
description: |-
4588
A reference to a specific 'key' within a Secret resource.
4589
In some instances, `key` is a required field.
4590
type: object
4591
required:
4592
- name
4593
properties:
4594
key:
4595
description: |-
4596
The key of the entry in the Secret resource's `data` field to be used.
4597
Some instances of this field may be defaulted, in others it may be
4598
required.
4599
type: string
4600
name:
4601
description: |-
4602
Name of the resource being referred to.
4603
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4604
type: string
4605
host:
4606
type: string
4607
akamai:
4608
description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
4609
type: object
4610
required:
4611
- accessTokenSecretRef
4612
- clientSecretSecretRef
4613
- clientTokenSecretRef
4614
- serviceConsumerDomain
4615
properties:
4616
accessTokenSecretRef:
4617
description: |-
4618
A reference to a specific 'key' within a Secret resource.
4619
In some instances, `key` is a required field.
4620
type: object
4621
required:
4622
- name
4623
properties:
4624
key:
4625
description: |-
4626
The key of the entry in the Secret resource's `data` field to be used.
4627
Some instances of this field may be defaulted, in others it may be
4628
required.
4629
type: string
4630
name:
4631
description: |-
4632
Name of the resource being referred to.
4633
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4634
type: string
4635
clientSecretSecretRef:
4636
description: |-
4637
A reference to a specific 'key' within a Secret resource.
4638
In some instances, `key` is a required field.
4639
type: object
4640
required:
4641
- name
4642
properties:
4643
key:
4644
description: |-
4645
The key of the entry in the Secret resource's `data` field to be used.
4646
Some instances of this field may be defaulted, in others it may be
4647
required.
4648
type: string
4649
name:
4650
description: |-
4651
Name of the resource being referred to.
4652
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4653
type: string
4654
clientTokenSecretRef:
4655
description: |-
4656
A reference to a specific 'key' within a Secret resource.
4657
In some instances, `key` is a required field.
4658
type: object
4659
required:
4660
- name
4661
properties:
4662
key:
4663
description: |-
4664
The key of the entry in the Secret resource's `data` field to be used.
4665
Some instances of this field may be defaulted, in others it may be
4666
required.
4667
type: string
4668
name:
4669
description: |-
4670
Name of the resource being referred to.
4671
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4672
type: string
4673
serviceConsumerDomain:
4674
type: string
4675
azureDNS:
4676
description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
4677
type: object
4678
required:
4679
- resourceGroupName
4680
- subscriptionID
4681
properties:
4682
clientID:
4683
description: |-
4684
Auth: Azure Service Principal:
4685
The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
4686
If set, ClientSecret and TenantID must also be set.
4687
type: string
4688
clientSecretSecretRef:
4689
description: |-
4690
Auth: Azure Service Principal:
4691
A reference to a Secret containing the password associated with the Service Principal.
4692
If set, ClientID and TenantID must also be set.
4693
type: object
4694
required:
4695
- name
4696
properties:
4697
key:
4698
description: |-
4699
The key of the entry in the Secret resource's `data` field to be used.
4700
Some instances of this field may be defaulted, in others it may be
4701
required.
4702
type: string
4703
name:
4704
description: |-
4705
Name of the resource being referred to.
4706
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4707
type: string
4708
environment:
4709
description: name of the Azure environment (default AzurePublicCloud)
4710
type: string
4711
enum:
4712
- AzurePublicCloud
4713
- AzureChinaCloud
4714
- AzureGermanCloud
4715
- AzureUSGovernmentCloud
4716
hostedZoneName:
4717
description: name of the DNS zone that should be used
4718
type: string
4719
managedIdentity:
4720
description: |-
4721
Auth: Azure Workload Identity or Azure Managed Service Identity:
4722
Settings to enable Azure Workload Identity or Azure Managed Service Identity
4723
If set, ClientID, ClientSecret and TenantID must not be set.
4724
type: object
4725
properties:
4726
clientID:
4727
description: client ID of the managed identity, can not be used at the same time as resourceID
4728
type: string
4729
resourceID:
4730
description: |-
4731
resource ID of the managed identity, can not be used at the same time as clientID
4732
Cannot be used for Azure Managed Service Identity
4733
type: string
4734
tenantID:
4735
description: tenant ID of the managed identity, can not be used at the same time as resourceID
4736
type: string
4737
resourceGroupName:
4738
description: resource group the DNS zone is located in
4739
type: string
4740
subscriptionID:
4741
description: ID of the Azure subscription
4742
type: string
4743
tenantID:
4744
description: |-
4745
Auth: Azure Service Principal:
4746
The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
4747
If set, ClientID and ClientSecret must also be set.
4748
type: string
4749
cloudDNS:
4750
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
4751
type: object
4752
required:
4753
- project
4754
properties:
4755
hostedZoneName:
4756
description: |-
4757
HostedZoneName is an optional field that tells cert-manager in which
4758
Cloud DNS zone the challenge record has to be created.
4759
If left empty cert-manager will automatically choose a zone.
4760
type: string
4761
project:
4762
type: string
4763
serviceAccountSecretRef:
4764
description: |-
4765
A reference to a specific 'key' within a Secret resource.
4766
In some instances, `key` is a required field.
4767
type: object
4768
required:
4769
- name
4770
properties:
4771
key:
4772
description: |-
4773
The key of the entry in the Secret resource's `data` field to be used.
4774
Some instances of this field may be defaulted, in others it may be
4775
required.
4776
type: string
4777
name:
4778
description: |-
4779
Name of the resource being referred to.
4780
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4781
type: string
4782
cloudflare:
4783
description: Use the Cloudflare API to manage DNS01 challenge records.
4784
type: object
4785
properties:
4786
apiKeySecretRef:
4787
description: |-
4788
API key to use to authenticate with Cloudflare.
4789
Note: using an API token to authenticate is now the recommended method
4790
as it allows greater control of permissions.
4791
type: object
4792
required:
4793
- name
4794
properties:
4795
key:
4796
description: |-
4797
The key of the entry in the Secret resource's `data` field to be used.
4798
Some instances of this field may be defaulted, in others it may be
4799
required.
4800
type: string
4801
name:
4802
description: |-
4803
Name of the resource being referred to.
4804
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4805
type: string
4806
apiTokenSecretRef:
4807
description: API token used to authenticate with Cloudflare.
4808
type: object
4809
required:
4810
- name
4811
properties:
4812
key:
4813
description: |-
4814
The key of the entry in the Secret resource's `data` field to be used.
4815
Some instances of this field may be defaulted, in others it may be
4816
required.
4817
type: string
4818
name:
4819
description: |-
4820
Name of the resource being referred to.
4821
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4822
type: string
4823
email:
4824
description: Email of the account, only required when using API key based authentication.
4825
type: string
4826
cnameStrategy:
4827
description: |-
4828
CNAMEStrategy configures how the DNS01 provider should handle CNAME
4829
records when found in DNS zones.
4830
type: string
4831
enum:
4832
- None
4833
- Follow
4834
digitalocean:
4835
description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
4836
type: object
4837
required:
4838
- tokenSecretRef
4839
properties:
4840
tokenSecretRef:
4841
description: |-
4842
A reference to a specific 'key' within a Secret resource.
4843
In some instances, `key` is a required field.
4844
type: object
4845
required:
4846
- name
4847
properties:
4848
key:
4849
description: |-
4850
The key of the entry in the Secret resource's `data` field to be used.
4851
Some instances of this field may be defaulted, in others it may be
4852
required.
4853
type: string
4854
name:
4855
description: |-
4856
Name of the resource being referred to.
4857
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4858
type: string
4859
rfc2136:
4860
description: |-
4861
Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
4862
to manage DNS01 challenge records.
4863
type: object
4864
required:
4865
- nameserver
4866
properties:
4867
nameserver:
4868
description: |-
4869
The IP address or hostname of an authoritative DNS server supporting
4870
RFC2136 in the form host:port. If the host is an IPv6 address it must be
4871
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
4872
This field is required.
4873
type: string
4874
tsigAlgorithm:
4875
description: |-
4876
The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
4877
when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
4878
Supported values are (case-insensitive): ``HMACMD5`` (default),
4879
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
4880
type: string
4881
tsigKeyName:
4882
description: |-
4883
The TSIG Key name configured in the DNS.
4884
If ``tsigSecretSecretRef`` is defined, this field is required.
4885
type: string
4886
tsigSecretSecretRef:
4887
description: |-
4888
The name of the secret containing the TSIG value.
4889
If ``tsigKeyName`` is defined, this field is required.
4890
type: object
4891
required:
4892
- name
4893
properties:
4894
key:
4895
description: |-
4896
The key of the entry in the Secret resource's `data` field to be used.
4897
Some instances of this field may be defaulted, in others it may be
4898
required.
4899
type: string
4900
name:
4901
description: |-
4902
Name of the resource being referred to.
4903
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4904
type: string
4905
route53:
4906
description: Use the AWS Route53 API to manage DNS01 challenge records.
4907
type: object
4908
properties:
4909
accessKeyID:
4910
description: |-
4911
The AccessKeyID is used for authentication.
4912
Cannot be set when SecretAccessKeyID is set.
4913
If neither the Access Key nor Key ID are set, we fall-back to using env
4914
vars, shared credentials file or AWS Instance metadata,
4915
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4916
type: string
4917
accessKeyIDSecretRef:
4918
description: |-
4919
The SecretAccessKey is used for authentication. If set, pull the AWS
4920
access key ID from a key within a Kubernetes Secret.
4921
Cannot be set when AccessKeyID is set.
4922
If neither the Access Key nor Key ID are set, we fall-back to using env
4923
vars, shared credentials file or AWS Instance metadata,
4924
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4925
type: object
4926
required:
4927
- name
4928
properties:
4929
key:
4930
description: |-
4931
The key of the entry in the Secret resource's `data` field to be used.
4932
Some instances of this field may be defaulted, in others it may be
4933
required.
4934
type: string
4935
name:
4936
description: |-
4937
Name of the resource being referred to.
4938
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4939
type: string
4940
auth:
4941
description: Auth configures how cert-manager authenticates.
4942
type: object
4943
required:
4944
- kubernetes
4945
properties:
4946
kubernetes:
4947
description: |-
4948
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
4949
by passing a bound ServiceAccount token.
4950
type: object
4951
required:
4952
- serviceAccountRef
4953
properties:
4954
serviceAccountRef:
4955
description: |-
4956
A reference to a service account that will be used to request a bound
4957
token (also known as "projected token"). To use this field, you must
4958
configure an RBAC rule to let cert-manager request a token.
4959
type: object
4960
required:
4961
- name
4962
properties:
4963
audiences:
4964
description: |-
4965
TokenAudiences is an optional list of audiences to include in the
4966
token passed to AWS. The default token consisting of the issuer's namespace
4967
and name is always included.
4968
If unset the audience defaults to `sts.amazonaws.com`.
4969
type: array
4970
items:
4971
type: string
4972
name:
4973
description: Name of the ServiceAccount used to request a token.
4974
type: string
4975
hostedZoneID:
4976
description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
4977
type: string
4978
region:
4979
description: |-
4980
Override the AWS region.
4981
4982
Route53 is a global service and does not have regional endpoints but the
4983
region specified here (or via environment variables) is used as a hint to
4984
help compute the correct AWS credential scope and partition when it
4985
connects to Route53. See:
4986
- [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
4987
- [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
4988
4989
If you omit this region field, cert-manager will use the region from
4990
AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
4991
in the cert-manager controller Pod.
4992
4993
The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
4994
Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
4995
[Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
4996
In this case this `region` field value is ignored.
4997
4998
The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
4999
Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
5000
[Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
5001
In this case this `region` field value is ignored.
5002
type: string
5003
role:
5004
description: |-
5005
Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
5006
or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
5007
type: string
5008
secretAccessKeySecretRef:
5009
description: |-
5010
The SecretAccessKey is used for authentication.
5011
If neither the Access Key nor Key ID are set, we fall-back to using env
5012
vars, shared credentials file or AWS Instance metadata,
5013
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
5014
type: object
5015
required:
5016
- name
5017
properties:
5018
key:
5019
description: |-
5020
The key of the entry in the Secret resource's `data` field to be used.
5021
Some instances of this field may be defaulted, in others it may be
5022
required.
5023
type: string
5024
name:
5025
description: |-
5026
Name of the resource being referred to.
5027
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5028
type: string
5029
webhook:
5030
description: |-
5031
Configure an external webhook based DNS01 challenge solver to manage
5032
DNS01 challenge records.
5033
type: object
5034
required:
5035
- groupName
5036
- solverName
5037
properties:
5038
config:
5039
description: |-
5040
Additional configuration that should be passed to the webhook apiserver
5041
when challenges are processed.
5042
This can contain arbitrary JSON data.
5043
Secret values should not be specified in this stanza.
5044
If secret values are needed (e.g. credentials for a DNS service), you
5045
should use a SecretKeySelector to reference a Secret resource.
5046
For details on the schema of this field, consult the webhook provider
5047
implementation's documentation.
5048
x-kubernetes-preserve-unknown-fields: true
5049
groupName:
5050
description: |-
5051
The API group name that should be used when POSTing ChallengePayload
5052
resources to the webhook apiserver.
5053
This should be the same as the GroupName specified in the webhook
5054
provider implementation.
5055
type: string
5056
solverName:
5057
description: |-
5058
The name of the solver to use, as defined in the webhook provider
5059
implementation.
5060
This will typically be the name of the provider, e.g. 'cloudflare'.
5061
type: string
5062
http01:
5063
description: |-
5064
Configures cert-manager to attempt to complete authorizations by
5065
performing the HTTP01 challenge flow.
5066
It is not possible to obtain certificates for wildcard domain names
5067
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
5068
type: object
5069
properties:
5070
gatewayHTTPRoute:
5071
description: |-
5072
The Gateway API is a sig-network community API that models service networking
5073
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
5074
create HTTPRoutes with the specified labels in the same namespace as the challenge.
5075
This solver is experimental, and fields / behaviour may change in the future.
5076
type: object
5077
properties:
5078
labels:
5079
description: |-
5080
Custom labels that will be applied to HTTPRoutes created by cert-manager
5081
while solving HTTP-01 challenges.
5082
type: object
5083
additionalProperties:
5084
type: string
5085
parentRefs:
5086
description: |-
5087
When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
5088
cert-manager needs to know which parentRefs should be used when creating
5089
the HTTPRoute. Usually, the parentRef references a Gateway. See:
5090
https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
5091
type: array
5092
items:
5093
description: |-
5094
ParentReference identifies an API object (usually a Gateway) that can be considered
5095
a parent of this resource (usually a route). There are two kinds of parent resources
5096
with "Core" support:
5097
5098
* Gateway (Gateway conformance profile)
5099
* Service (Mesh conformance profile, ClusterIP Services only)
5100
5101
This API may be extended in the future to support additional kinds of parent
5102
resources.
5103
5104
The API object must be valid in the cluster; the Group and Kind must
5105
be registered in the cluster for this reference to be valid.
5106
type: object
5107
required:
5108
- name
5109
properties:
5110
group:
5111
description: |-
5112
Group is the group of the referent.
5113
When unspecified, "gateway.networking.k8s.io" is inferred.
5114
To set the core API group (such as for a "Service" kind referent),
5115
Group must be explicitly set to "" (empty string).
5116
5117
Support: Core
5118
type: string
5119
default: gateway.networking.k8s.io
5120
maxLength: 253
5121
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
5122
kind:
5123
description: |-
5124
Kind is kind of the referent.
5125
5126
There are two kinds of parent resources with "Core" support:
5127
5128
* Gateway (Gateway conformance profile)
5129
* Service (Mesh conformance profile, ClusterIP Services only)
5130
5131
Support for other resources is Implementation-Specific.
5132
type: string
5133
default: Gateway
5134
maxLength: 63
5135
minLength: 1
5136
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
5137
name:
5138
description: |-
5139
Name is the name of the referent.
5140
5141
Support: Core
5142
type: string
5143
maxLength: 253
5144
minLength: 1
5145
namespace:
5146
description: |-
5147
Namespace is the namespace of the referent. When unspecified, this refers
5148
to the local namespace of the Route.
5149
5150
Note that there are specific rules for ParentRefs which cross namespace
5151
boundaries. Cross-namespace references are only valid if they are explicitly
5152
allowed by something in the namespace they are referring to. For example:
5153
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
5154
generic way to enable any other kind of cross-namespace reference.
5155
5156
5157
ParentRefs from a Route to a Service in the same namespace are "producer"
5158
routes, which apply default routing rules to inbound connections from
5159
any namespace to the Service.
5160
5161
ParentRefs from a Route to a Service in a different namespace are
5162
"consumer" routes, and these routing rules are only applied to outbound
5163
connections originating from the same namespace as the Route, for which
5164
the intended destination of the connections are a Service targeted as a
5165
ParentRef of the Route.
5166
5167
5168
Support: Core
5169
type: string
5170
maxLength: 63
5171
minLength: 1
5172
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
5173
port:
5174
description: |-
5175
Port is the network port this Route targets. It can be interpreted
5176
differently based on the type of parent resource.
5177
5178
When the parent resource is a Gateway, this targets all listeners
5179
listening on the specified port that also support this kind of Route(and
5180
select this Route). It's not recommended to set `Port` unless the
5181
networking behaviors specified in a Route must apply to a specific port
5182
as opposed to a listener(s) whose port(s) may be changed. When both Port
5183
and SectionName are specified, the name and port of the selected listener
5184
must match both specified values.
5185
5186
5187
When the parent resource is a Service, this targets a specific port in the
5188
Service spec. When both Port (experimental) and SectionName are specified,
5189
the name and port of the selected port must match both specified values.
5190
5191
5192
Implementations MAY choose to support other parent resources.
5193
Implementations supporting other types of parent resources MUST clearly
5194
document how/if Port is interpreted.
5195
5196
For the purpose of status, an attachment is considered successful as
5197
long as the parent resource accepts it partially. For example, Gateway
5198
listeners can restrict which Routes can attach to them by Route kind,
5199
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
5200
from the referencing Route, the Route MUST be considered successfully
5201
attached. If no Gateway listeners accept attachment from this Route,
5202
the Route MUST be considered detached from the Gateway.
5203
5204
Support: Extended
5205
type: integer
5206
format: int32
5207
maximum: 65535
5208
minimum: 1
5209
sectionName:
5210
description: |-
5211
SectionName is the name of a section within the target resource. In the
5212
following resources, SectionName is interpreted as the following:
5213
5214
* Gateway: Listener name. When both Port (experimental) and SectionName
5215
are specified, the name and port of the selected listener must match
5216
both specified values.
5217
* Service: Port name. When both Port (experimental) and SectionName
5218
are specified, the name and port of the selected listener must match
5219
both specified values.
5220
5221
Implementations MAY choose to support attaching Routes to other resources.
5222
If that is the case, they MUST clearly document how SectionName is
5223
interpreted.
5224
5225
When unspecified (empty string), this will reference the entire resource.
5226
For the purpose of status, an attachment is considered successful if at
5227
least one section in the parent resource accepts it. For example, Gateway
5228
listeners can restrict which Routes can attach to them by Route kind,
5229
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
5230
the referencing Route, the Route MUST be considered successfully
5231
attached. If no Gateway listeners accept attachment from this Route, the
5232
Route MUST be considered detached from the Gateway.
5233
5234
Support: Core
5235
type: string
5236
maxLength: 253
5237
minLength: 1
5238
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
5239
podTemplate:
5240
description: |-
5241
Optional pod template used to configure the ACME challenge solver pods
5242
used for HTTP01 challenges.
5243
type: object
5244
properties:
5245
metadata:
5246
description: |-
5247
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
5248
Only the 'labels' and 'annotations' fields may be set.
5249
If labels or annotations overlap with in-built values, the values here
5250
will override the in-built values.
5251
type: object
5252
properties:
5253
annotations:
5254
description: Annotations that should be added to the created ACME HTTP01 solver pods.
5255
type: object
5256
additionalProperties:
5257
type: string
5258
labels:
5259
description: Labels that should be added to the created ACME HTTP01 solver pods.
5260
type: object
5261
additionalProperties:
5262
type: string
5263
spec:
5264
description: |-
5265
PodSpec defines overrides for the HTTP01 challenge solver pod.
5266
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
5267
All other fields will be ignored.
5268
type: object
5269
properties:
5270
affinity:
5271
description: If specified, the pod's scheduling constraints
5272
type: object
5273
properties:
5274
nodeAffinity:
5275
description: Describes node affinity scheduling rules for the pod.
5276
type: object
5277
properties:
5278
preferredDuringSchedulingIgnoredDuringExecution:
5279
description: |-
5280
The scheduler will prefer to schedule pods to nodes that satisfy
5281
the affinity expressions specified by this field, but it may choose
5282
a node that violates one or more of the expressions. The node that is
5283
most preferred is the one with the greatest sum of weights, i.e.
5284
for each node that meets all of the scheduling requirements (resource
5285
request, requiredDuringScheduling affinity expressions, etc.),
5286
compute a sum by iterating through the elements of this field and adding
5287
"weight" to the sum if the node matches the corresponding matchExpressions; the
5288
node(s) with the highest sum are the most preferred.
5289
type: array
5290
items:
5291
description: |-
5292
An empty preferred scheduling term matches all objects with implicit weight 0
5293
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
5294
type: object
5295
required:
5296
- preference
5297
- weight
5298
properties:
5299
preference:
5300
description: A node selector term, associated with the corresponding weight.
5301
type: object
5302
properties:
5303
matchExpressions:
5304
description: A list of node selector requirements by node's labels.
5305
type: array
5306
items:
5307
description: |-
5308
A node selector requirement is a selector that contains values, a key, and an operator
5309
that relates the key and values.
5310
type: object
5311
required:
5312
- key
5313
- operator
5314
properties:
5315
key:
5316
description: The label key that the selector applies to.
5317
type: string
5318
operator:
5319
description: |-
5320
Represents a key's relationship to a set of values.
5321
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5322
type: string
5323
values:
5324
description: |-
5325
An array of string values. If the operator is In or NotIn,
5326
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5327
the values array must be empty. If the operator is Gt or Lt, the values
5328
array must have a single element, which will be interpreted as an integer.
5329
This array is replaced during a strategic merge patch.
5330
type: array
5331
items:
5332
type: string
5333
x-kubernetes-list-type: atomic
5334
x-kubernetes-list-type: atomic
5335
matchFields:
5336
description: A list of node selector requirements by node's fields.
5337
type: array
5338
items:
5339
description: |-
5340
A node selector requirement is a selector that contains values, a key, and an operator
5341
that relates the key and values.
5342
type: object
5343
required:
5344
- key
5345
- operator
5346
properties:
5347
key:
5348
description: The label key that the selector applies to.
5349
type: string
5350
operator:
5351
description: |-
5352
Represents a key's relationship to a set of values.
5353
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5354
type: string
5355
values:
5356
description: |-
5357
An array of string values. If the operator is In or NotIn,
5358
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5359
the values array must be empty. If the operator is Gt or Lt, the values
5360
array must have a single element, which will be interpreted as an integer.
5361
This array is replaced during a strategic merge patch.
5362
type: array
5363
items:
5364
type: string
5365
x-kubernetes-list-type: atomic
5366
x-kubernetes-list-type: atomic
5367
x-kubernetes-map-type: atomic
5368
weight:
5369
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
5370
type: integer
5371
format: int32
5372
x-kubernetes-list-type: atomic
5373
requiredDuringSchedulingIgnoredDuringExecution:
5374
description: |-
5375
If the affinity requirements specified by this field are not met at
5376
scheduling time, the pod will not be scheduled onto the node.
5377
If the affinity requirements specified by this field cease to be met
5378
at some point during pod execution (e.g. due to an update), the system
5379
may or may not try to eventually evict the pod from its node.
5380
type: object
5381
required:
5382
- nodeSelectorTerms
5383
properties:
5384
nodeSelectorTerms:
5385
description: Required. A list of node selector terms. The terms are ORed.
5386
type: array
5387
items:
5388
description: |-
5389
A null or empty node selector term matches no objects. The requirements of
5390
them are ANDed.
5391
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
5392
type: object
5393
properties:
5394
matchExpressions:
5395
description: A list of node selector requirements by node's labels.
5396
type: array
5397
items:
5398
description: |-
5399
A node selector requirement is a selector that contains values, a key, and an operator
5400
that relates the key and values.
5401
type: object
5402
required:
5403
- key
5404
- operator
5405
properties:
5406
key:
5407
description: The label key that the selector applies to.
5408
type: string
5409
operator:
5410
description: |-
5411
Represents a key's relationship to a set of values.
5412
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5413
type: string
5414
values:
5415
description: |-
5416
An array of string values. If the operator is In or NotIn,
5417
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5418
the values array must be empty. If the operator is Gt or Lt, the values
5419
array must have a single element, which will be interpreted as an integer.
5420
This array is replaced during a strategic merge patch.
5421
type: array
5422
items:
5423
type: string
5424
x-kubernetes-list-type: atomic
5425
x-kubernetes-list-type: atomic
5426
matchFields:
5427
description: A list of node selector requirements by node's fields.
5428
type: array
5429
items:
5430
description: |-
5431
A node selector requirement is a selector that contains values, a key, and an operator
5432
that relates the key and values.
5433
type: object
5434
required:
5435
- key
5436
- operator
5437
properties:
5438
key:
5439
description: The label key that the selector applies to.
5440
type: string
5441
operator:
5442
description: |-
5443
Represents a key's relationship to a set of values.
5444
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5445
type: string
5446
values:
5447
description: |-
5448
An array of string values. If the operator is In or NotIn,
5449
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5450
the values array must be empty. If the operator is Gt or Lt, the values
5451
array must have a single element, which will be interpreted as an integer.
5452
This array is replaced during a strategic merge patch.
5453
type: array
5454
items:
5455
type: string
5456
x-kubernetes-list-type: atomic
5457
x-kubernetes-list-type: atomic
5458
x-kubernetes-map-type: atomic
5459
x-kubernetes-list-type: atomic
5460
x-kubernetes-map-type: atomic
5461
podAffinity:
5462
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
5463
type: object
5464
properties:
5465
preferredDuringSchedulingIgnoredDuringExecution:
5466
description: |-
5467
The scheduler will prefer to schedule pods to nodes that satisfy
5468
the affinity expressions specified by this field, but it may choose
5469
a node that violates one or more of the expressions. The node that is
5470
most preferred is the one with the greatest sum of weights, i.e.
5471
for each node that meets all of the scheduling requirements (resource
5472
request, requiredDuringScheduling affinity expressions, etc.),
5473
compute a sum by iterating through the elements of this field and adding
5474
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
5475
node(s) with the highest sum are the most preferred.
5476
type: array
5477
items:
5478
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5479
type: object
5480
required:
5481
- podAffinityTerm
5482
- weight
5483
properties:
5484
podAffinityTerm:
5485
description: Required. A pod affinity term, associated with the corresponding weight.
5486
type: object
5487
required:
5488
- topologyKey
5489
properties:
5490
labelSelector:
5491
description: |-
5492
A label query over a set of resources, in this case pods.
5493
If it's null, this PodAffinityTerm matches with no Pods.
5494
type: object
5495
properties:
5496
matchExpressions:
5497
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5498
type: array
5499
items:
5500
description: |-
5501
A label selector requirement is a selector that contains values, a key, and an operator that
5502
relates the key and values.
5503
type: object
5504
required:
5505
- key
5506
- operator
5507
properties:
5508
key:
5509
description: key is the label key that the selector applies to.
5510
type: string
5511
operator:
5512
description: |-
5513
operator represents a key's relationship to a set of values.
5514
Valid operators are In, NotIn, Exists and DoesNotExist.
5515
type: string
5516
values:
5517
description: |-
5518
values is an array of string values. If the operator is In or NotIn,
5519
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5520
the values array must be empty. This array is replaced during a strategic
5521
merge patch.
5522
type: array
5523
items:
5524
type: string
5525
x-kubernetes-list-type: atomic
5526
x-kubernetes-list-type: atomic
5527
matchLabels:
5528
description: |-
5529
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
5530
map is equivalent to an element of matchExpressions, whose key field is "key", the
5531
operator is "In", and the values array contains only "value". The requirements are ANDed.
5532
type: object
5533
additionalProperties:
5534
type: string
5535
x-kubernetes-map-type: atomic
5536
matchLabelKeys:
5537
description: |-
5538
MatchLabelKeys is a set of pod label keys to select which pods will
5539
be taken into consideration. The keys are used to lookup values from the
5540
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
5541
to select the group of existing pods which pods will be taken into consideration
5542
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
5543
pod labels will be ignored. The default value is empty.
5544
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
5545
Also, matchLabelKeys cannot be set when labelSelector isn't set.
5546
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
5547
type: array
5548
items:
5549
type: string
5550
x-kubernetes-list-type: atomic
5551
mismatchLabelKeys:
5552
description: |-
5553
MismatchLabelKeys is a set of pod label keys to select which pods will
5554
be taken into consideration. The keys are used to lookup values from the
5555
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
5556
to select the group of existing pods which pods will be taken into consideration
5557
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
5558
pod labels will be ignored. The default value is empty.
5559
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
5560
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
5561
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
5562
type: array
5563
items:
5564
type: string
5565
x-kubernetes-list-type: atomic
5566
namespaceSelector:
5567
description: |-
5568
A label query over the set of namespaces that the term applies to.
5569
The term is applied to the union of the namespaces selected by this field
5570
and the ones listed in the namespaces field.
5571
null selector and null or empty namespaces list means "this pod's namespace".
5572
An empty selector ({}) matches all namespaces.
5573
type: object
5574
properties:
5575
matchExpressions:
5576
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5577
type: array
5578
items:
5579
description: |-
5580
A label selector requirement is a selector that contains values, a key, and an operator that
5581
relates the key and values.
5582
type: object
5583
required:
5584
- key
5585
- operator
5586
properties:
5587
key:
5588
description: key is the label key that the selector applies to.
5589
type: string
5590
operator:
5591
description: |-
5592
operator represents a key's relationship to a set of values.
5593
Valid operators are In, NotIn, Exists and DoesNotExist.
5594
type: string
5595
values:
5596
description: |-
5597
values is an array of string values. If the operator is In or NotIn,
5598
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5599
the values array must be empty. This array is replaced during a strategic
5600
merge patch.
5601
type: array
5602
items:
5603
type: string
5604
x-kubernetes-list-type: atomic
5605
x-kubernetes-list-type: atomic
5606
matchLabels:
5607
description: |-
5608
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
5609
map is equivalent to an element of matchExpressions, whose key field is "key", the
5610
operator is "In", and the values array contains only "value". The requirements are ANDed.
5611
type: object
5612
additionalProperties:
5613
type: string
5614
x-kubernetes-map-type: atomic
5615
namespaces:
5616
description: |-
5617
namespaces specifies a static list of namespace names that the term applies to.
5618
The term is applied to the union of the namespaces listed in this field
5619
and the ones selected by namespaceSelector.
5620
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
5621
type: array
5622
items:
5623
type: string
5624
x-kubernetes-list-type: atomic
5625
topologyKey:
5626
description: |-
5627
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
5628
the labelSelector in the specified namespaces, where co-located is defined as running on a node
5629
whose value of the label with key topologyKey matches that of any node on which any of the
5630
selected pods is running.
5631
Empty topologyKey is not allowed.
5632
type: string
5633
weight:
5634
description: |-
5635
weight associated with matching the corresponding podAffinityTerm,
5636
in the range 1-100.
5637
type: integer
5638
format: int32
5639
x-kubernetes-list-type: atomic
5640
requiredDuringSchedulingIgnoredDuringExecution:
5641
description: |-
5642
If the affinity requirements specified by this field are not met at
5643
scheduling time, the pod will not be scheduled onto the node.
5644
If the affinity requirements specified by this field cease to be met
5645
at some point during pod execution (e.g. due to a pod label update), the
5646
system may or may not try to eventually evict the pod from its node.
5647
When there are multiple elements, the lists of nodes corresponding to each
5648
podAffinityTerm are intersected, i.e. all terms must be satisfied.
5649
type: array
5650
items:
5651
description: |-
5652
Defines a set of pods (namely those matching the labelSelector
5653
relative to the given namespace(s)) that this pod should be
5654
co-located (affinity) or not co-located (anti-affinity) with,
5655
where co-located is defined as running on a node whose value of
5656
the label with key matches that of any node on which
5657
a pod of the set of pods is running
5658
type: object
5659
required:
5660
- topologyKey
5661
properties:
5662
labelSelector:
5663
description: |-
5664
A label query over a set of resources, in this case pods.
5665
If it's null, this PodAffinityTerm matches with no Pods.
5666
type: object
5667
properties:
5668
matchExpressions:
5669
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5670
type: array
5671
items:
5672
description: |-
5673
A label selector requirement is a selector that contains values, a key, and an operator that
5674
relates the key and values.
5675
type: object
5676
required:
5677
- key
5678
- operator
5679
properties:
5680
key:
5681
description: key is the label key that the selector applies to.
5682
type: string
5683
operator:
5684
description: |-
5685
operator represents a key's relationship to a set of values.
5686
Valid operators are In, NotIn, Exists and DoesNotExist.
5687
type: string
5688
values:
5689
description: |-
5690
values is an array of string values. If the operator is In or NotIn,
5691
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5692
the values array must be empty. This array is replaced during a strategic
5693
merge patch.
5694
type: array
5695
items:
5696
type: string
5697
x-kubernetes-list-type: atomic
5698
x-kubernetes-list-type: atomic
5699
matchLabels:
5700
description: |-
5701
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
5702
map is equivalent to an element of matchExpressions, whose key field is "key", the
5703
operator is "In", and the values array contains only "value". The requirements are ANDed.
5704
type: object
5705
additionalProperties:
5706
type: string
5707
x-kubernetes-map-type: atomic
5708
matchLabelKeys:
5709
description: |-
5710
MatchLabelKeys is a set of pod label keys to select which pods will
5711
be taken into consideration. The keys are used to lookup values from the
5712
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
5713
to select the group of existing pods which pods will be taken into consideration
5714
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
5715
pod labels will be ignored. The default value is empty.
5716
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
5717
Also, matchLabelKeys cannot be set when labelSelector isn't set.
5718
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
5719
type: array
5720
items:
5721
type: string
5722
x-kubernetes-list-type: atomic
5723
mismatchLabelKeys:
5724
description: |-
5725
MismatchLabelKeys is a set of pod label keys to select which pods will
5726
be taken into consideration. The keys are used to lookup values from the
5727
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
5728
to select the group of existing pods which pods will be taken into consideration
5729
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
5730
pod labels will be ignored. The default value is empty.
5731
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
5732
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
5733
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
5734
type: array
5735
items:
5736
type: string
5737
x-kubernetes-list-type: atomic
5738
namespaceSelector:
5739
description: |-
5740
A label query over the set of namespaces that the term applies to.
5741
The term is applied to the union of the namespaces selected by this field
5742
and the ones listed in the namespaces field.
5743
null selector and null or empty namespaces list means "this pod's namespace".
5744
An empty selector ({}) matches all namespaces.
5745
type: object
5746
properties:
5747
matchExpressions:
5748
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5749
type: array
5750
items:
5751
description: |-
5752
A label selector requirement is a selector that contains values, a key, and an operator that
5753
relates the key and values.
5754
type: object
5755
required:
5756
- key
5757
- operator
5758
properties:
5759
key:
5760
description: key is the label key that the selector applies to.
5761
type: string
5762
operator:
5763
description: |-
5764
operator represents a key's relationship to a set of values.
5765
Valid operators are In, NotIn, Exists and DoesNotExist.
5766
type: string
5767
values:
5768
description: |-
5769
values is an array of string values. If the operator is In or NotIn,
5770
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5771
the values array must be empty. This array is replaced during a strategic
5772
merge patch.
5773
type: array
5774
items:
5775
type: string
5776
x-kubernetes-list-type: atomic
5777
x-kubernetes-list-type: atomic
5778
matchLabels:
5779
description: |-
5780
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
5781
map is equivalent to an element of matchExpressions, whose key field is "key", the
5782
operator is "In", and the values array contains only "value". The requirements are ANDed.
5783
type: object
5784
additionalProperties:
5785
type: string
5786
x-kubernetes-map-type: atomic
5787
namespaces:
5788
description: |-
5789
namespaces specifies a static list of namespace names that the term applies to.
5790
The term is applied to the union of the namespaces listed in this field
5791
and the ones selected by namespaceSelector.
5792
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
5793
type: array
5794
items:
5795
type: string
5796
x-kubernetes-list-type: atomic
5797
topologyKey:
5798
description: |-
5799
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
5800
the labelSelector in the specified namespaces, where co-located is defined as running on a node
5801
whose value of the label with key topologyKey matches that of any node on which any of the
5802
selected pods is running.
5803
Empty topologyKey is not allowed.
5804
type: string
5805
x-kubernetes-list-type: atomic
5806
podAntiAffinity:
5807
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
5808
type: object
5809
properties:
5810
preferredDuringSchedulingIgnoredDuringExecution:
5811
description: |-
5812
The scheduler will prefer to schedule pods to nodes that satisfy
5813
the anti-affinity expressions specified by this field, but it may choose
5814
a node that violates one or more of the expressions. The node that is
5815
most preferred is the one with the greatest sum of weights, i.e.
5816
for each node that meets all of the scheduling requirements (resource
5817
request, requiredDuringScheduling anti-affinity expressions, etc.),
5818
compute a sum by iterating through the elements of this field and adding
5819
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
5820
node(s) with the highest sum are the most preferred.
5821
type: array
5822
items:
5823
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5824
type: object
5825
required:
5826
- podAffinityTerm
5827
- weight
5828
properties:
5829
podAffinityTerm:
5830
description: Required. A pod affinity term, associated with the corresponding weight.
5831
type: object
5832
required:
5833
- topologyKey
5834
properties:
5835
labelSelector:
5836
description: |-
5837
A label query over a set of resources, in this case pods.
5838
If it's null, this PodAffinityTerm matches with no Pods.
5839
type: object
5840
properties:
5841
matchExpressions:
5842
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5843
type: array
5844
items:
5845
description: |-
5846
A label selector requirement is a selector that contains values, a key, and an operator that
5847
relates the key and values.
5848
type: object
5849
required:
5850
- key
5851
- operator
5852
properties:
5853
key:
5854
description: key is the label key that the selector applies to.
5855
type: string
5856
operator:
5857
description: |-
5858
operator represents a key's relationship to a set of values.
5859
Valid operators are In, NotIn, Exists and DoesNotExist.
5860
type: string
5861
values:
5862
description: |-
5863
values is an array of string values. If the operator is In or NotIn,
5864
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5865
the values array must be empty. This array is replaced during a strategic
5866
merge patch.
5867
type: array
5868
items:
5869
type: string
5870
x-kubernetes-list-type: atomic
5871
x-kubernetes-list-type: atomic
5872
matchLabels:
5873
description: |-
5874
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
5875
map is equivalent to an element of matchExpressions, whose key field is "key", the
5876
operator is "In", and the values array contains only "value". The requirements are ANDed.
5877
type: object
5878
additionalProperties:
5879
type: string
5880
x-kubernetes-map-type: atomic
5881
matchLabelKeys:
5882
description: |-
5883
MatchLabelKeys is a set of pod label keys to select which pods will
5884
be taken into consideration. The keys are used to lookup values from the
5885
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
5886
to select the group of existing pods which pods will be taken into consideration
5887
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
5888
pod labels will be ignored. The default value is empty.
5889
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
5890
Also, matchLabelKeys cannot be set when labelSelector isn't set.
5891
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
5892
type: array
5893
items:
5894
type: string
5895
x-kubernetes-list-type: atomic
5896
mismatchLabelKeys:
5897
description: |-
5898
MismatchLabelKeys is a set of pod label keys to select which pods will
5899
be taken into consideration. The keys are used to lookup values from the
5900
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
5901
to select the group of existing pods which pods will be taken into consideration
5902
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
5903
pod labels will be ignored. The default value is empty.
5904
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
5905
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
5906
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
5907
type: array
5908
items:
5909
type: string
5910
x-kubernetes-list-type: atomic
5911
namespaceSelector:
5912
description: |-
5913
A label query over the set of namespaces that the term applies to.
5914
The term is applied to the union of the namespaces selected by this field
5915
and the ones listed in the namespaces field.
5916
null selector and null or empty namespaces list means "this pod's namespace".
5917
An empty selector ({}) matches all namespaces.
5918
type: object
5919
properties:
5920
matchExpressions:
5921
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5922
type: array
5923
items:
5924
description: |-
5925
A label selector requirement is a selector that contains values, a key, and an operator that
5926
relates the key and values.
5927
type: object
5928
required:
5929
- key
5930
- operator
5931
properties:
5932
key:
5933
description: key is the label key that the selector applies to.
5934
type: string
5935
operator:
5936
description: |-
5937
operator represents a key's relationship to a set of values.
5938
Valid operators are In, NotIn, Exists and DoesNotExist.
5939
type: string
5940
values:
5941
description: |-
5942
values is an array of string values. If the operator is In or NotIn,
5943
the values array must be non-empty. If the operator is Exists or DoesNotExist,
5944
the values array must be empty. This array is replaced during a strategic
5945
merge patch.
5946
type: array
5947
items:
5948
type: string
5949
x-kubernetes-list-type: atomic
5950
x-kubernetes-list-type: atomic
5951
matchLabels:
5952
description: |-
5953
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
5954
map is equivalent to an element of matchExpressions, whose key field is "key", the
5955
operator is "In", and the values array contains only "value". The requirements are ANDed.
5956
type: object
5957
additionalProperties:
5958
type: string
5959
x-kubernetes-map-type: atomic
5960
namespaces:
5961
description: |-
5962
namespaces specifies a static list of namespace names that the term applies to.
5963
The term is applied to the union of the namespaces listed in this field
5964
and the ones selected by namespaceSelector.
5965
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
5966
type: array
5967
items:
5968
type: string
5969
x-kubernetes-list-type: atomic
5970
topologyKey:
5971
description: |-
5972
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
5973
the labelSelector in the specified namespaces, where co-located is defined as running on a node
5974
whose value of the label with key topologyKey matches that of any node on which any of the
5975
selected pods is running.
5976
Empty topologyKey is not allowed.
5977
type: string
5978
weight:
5979
description: |-
5980
weight associated with matching the corresponding podAffinityTerm,
5981
in the range 1-100.
5982
type: integer
5983
format: int32
5984
x-kubernetes-list-type: atomic
5985
requiredDuringSchedulingIgnoredDuringExecution:
5986
description: |-
5987
If the anti-affinity requirements specified by this field are not met at
5988
scheduling time, the pod will not be scheduled onto the node.
5989
If the anti-affinity requirements specified by this field cease to be met
5990
at some point during pod execution (e.g. due to a pod label update), the
5991
system may or may not try to eventually evict the pod from its node.
5992
When there are multiple elements, the lists of nodes corresponding to each
5993
podAffinityTerm are intersected, i.e. all terms must be satisfied.
5994
type: array
5995
items:
5996
description: |-
5997
Defines a set of pods (namely those matching the labelSelector
5998
relative to the given namespace(s)) that this pod should be
5999
co-located (affinity) or not co-located (anti-affinity) with,
6000
where co-located is defined as running on a node whose value of
6001
the label with key matches that of any node on which
6002
a pod of the set of pods is running
6003
type: object
6004
required:
6005
- topologyKey
6006
properties:
6007
labelSelector:
6008
description: |-
6009
A label query over a set of resources, in this case pods.
6010
If it's null, this PodAffinityTerm matches with no Pods.
6011
type: object
6012
properties:
6013
matchExpressions:
6014
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6015
type: array
6016
items:
6017
description: |-
6018
A label selector requirement is a selector that contains values, a key, and an operator that
6019
relates the key and values.
6020
type: object
6021
required:
6022
- key
6023
- operator
6024
properties:
6025
key:
6026
description: key is the label key that the selector applies to.
6027
type: string
6028
operator:
6029
description: |-
6030
operator represents a key's relationship to a set of values.
6031
Valid operators are In, NotIn, Exists and DoesNotExist.
6032
type: string
6033
values:
6034
description: |-
6035
values is an array of string values. If the operator is In or NotIn,
6036
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6037
the values array must be empty. This array is replaced during a strategic
6038
merge patch.
6039
type: array
6040
items:
6041
type: string
6042
x-kubernetes-list-type: atomic
6043
x-kubernetes-list-type: atomic
6044
matchLabels:
6045
description: |-
6046
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6047
map is equivalent to an element of matchExpressions, whose key field is "key", the
6048
operator is "In", and the values array contains only "value". The requirements are ANDed.
6049
type: object
6050
additionalProperties:
6051
type: string
6052
x-kubernetes-map-type: atomic
6053
matchLabelKeys:
6054
description: |-
6055
MatchLabelKeys is a set of pod label keys to select which pods will
6056
be taken into consideration. The keys are used to lookup values from the
6057
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
6058
to select the group of existing pods which pods will be taken into consideration
6059
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
6060
pod labels will be ignored. The default value is empty.
6061
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
6062
Also, matchLabelKeys cannot be set when labelSelector isn't set.
6063
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
6064
type: array
6065
items:
6066
type: string
6067
x-kubernetes-list-type: atomic
6068
mismatchLabelKeys:
6069
description: |-
6070
MismatchLabelKeys is a set of pod label keys to select which pods will
6071
be taken into consideration. The keys are used to lookup values from the
6072
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
6073
to select the group of existing pods which pods will be taken into consideration
6074
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
6075
pod labels will be ignored. The default value is empty.
6076
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
6077
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
6078
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
6079
type: array
6080
items:
6081
type: string
6082
x-kubernetes-list-type: atomic
6083
namespaceSelector:
6084
description: |-
6085
A label query over the set of namespaces that the term applies to.
6086
The term is applied to the union of the namespaces selected by this field
6087
and the ones listed in the namespaces field.
6088
null selector and null or empty namespaces list means "this pod's namespace".
6089
An empty selector ({}) matches all namespaces.
6090
type: object
6091
properties:
6092
matchExpressions:
6093
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6094
type: array
6095
items:
6096
description: |-
6097
A label selector requirement is a selector that contains values, a key, and an operator that
6098
relates the key and values.
6099
type: object
6100
required:
6101
- key
6102
- operator
6103
properties:
6104
key:
6105
description: key is the label key that the selector applies to.
6106
type: string
6107
operator:
6108
description: |-
6109
operator represents a key's relationship to a set of values.
6110
Valid operators are In, NotIn, Exists and DoesNotExist.
6111
type: string
6112
values:
6113
description: |-
6114
values is an array of string values. If the operator is In or NotIn,
6115
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6116
the values array must be empty. This array is replaced during a strategic
6117
merge patch.
6118
type: array
6119
items:
6120
type: string
6121
x-kubernetes-list-type: atomic
6122
x-kubernetes-list-type: atomic
6123
matchLabels:
6124
description: |-
6125
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6126
map is equivalent to an element of matchExpressions, whose key field is "key", the
6127
operator is "In", and the values array contains only "value". The requirements are ANDed.
6128
type: object
6129
additionalProperties:
6130
type: string
6131
x-kubernetes-map-type: atomic
6132
namespaces:
6133
description: |-
6134
namespaces specifies a static list of namespace names that the term applies to.
6135
The term is applied to the union of the namespaces listed in this field
6136
and the ones selected by namespaceSelector.
6137
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
6138
type: array
6139
items:
6140
type: string
6141
x-kubernetes-list-type: atomic
6142
topologyKey:
6143
description: |-
6144
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
6145
the labelSelector in the specified namespaces, where co-located is defined as running on a node
6146
whose value of the label with key topologyKey matches that of any node on which any of the
6147
selected pods is running.
6148
Empty topologyKey is not allowed.
6149
type: string
6150
x-kubernetes-list-type: atomic
6151
imagePullSecrets:
6152
description: If specified, the pod's imagePullSecrets
6153
type: array
6154
items:
6155
description: |-
6156
LocalObjectReference contains enough information to let you locate the
6157
referenced object inside the same namespace.
6158
type: object
6159
properties:
6160
name:
6161
description: |-
6162
Name of the referent.
6163
This field is effectively required, but due to backwards compatibility is
6164
allowed to be empty. Instances of this type with an empty value here are
6165
almost certainly wrong.
6166
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
6167
type: string
6168
default: ""
6169
x-kubernetes-map-type: atomic
6170
nodeSelector:
6171
description: |-
6172
NodeSelector is a selector which must be true for the pod to fit on a node.
6173
Selector which must match a node's labels for the pod to be scheduled on that node.
6174
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
6175
type: object
6176
additionalProperties:
6177
type: string
6178
priorityClassName:
6179
description: If specified, the pod's priorityClassName.
6180
type: string
6181
securityContext:
6182
description: If specified, the pod's security context
6183
type: object
6184
properties:
6185
fsGroup:
6186
description: |-
6187
A special supplemental group that applies to all containers in a pod.
6188
Some volume types allow the Kubelet to change the ownership of that volume
6189
to be owned by the pod:
6190
6191
1. The owning GID will be the FSGroup
6192
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
6193
3. The permission bits are OR'd with rw-rw----
6194
6195
If unset, the Kubelet will not modify the ownership and permissions of any volume.
6196
Note that this field cannot be set when spec.os.name is windows.
6197
type: integer
6198
format: int64
6199
fsGroupChangePolicy:
6200
description: |-
6201
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
6202
before being exposed inside Pod. This field will only apply to
6203
volume types which support fsGroup based ownership(and permissions).
6204
It will have no effect on ephemeral volume types such as: secret, configmaps
6205
and emptydir.
6206
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
6207
Note that this field cannot be set when spec.os.name is windows.
6208
type: string
6209
runAsGroup:
6210
description: |-
6211
The GID to run the entrypoint of the container process.
6212
Uses runtime default if unset.
6213
May also be set in SecurityContext. If set in both SecurityContext and
6214
PodSecurityContext, the value specified in SecurityContext takes precedence
6215
for that container.
6216
Note that this field cannot be set when spec.os.name is windows.
6217
type: integer
6218
format: int64
6219
runAsNonRoot:
6220
description: |-
6221
Indicates that the container must run as a non-root user.
6222
If true, the Kubelet will validate the image at runtime to ensure that it
6223
does not run as UID 0 (root) and fail to start the container if it does.
6224
If unset or false, no such validation will be performed.
6225
May also be set in SecurityContext. If set in both SecurityContext and
6226
PodSecurityContext, the value specified in SecurityContext takes precedence.
6227
type: boolean
6228
runAsUser:
6229
description: |-
6230
The UID to run the entrypoint of the container process.
6231
Defaults to user specified in image metadata if unspecified.
6232
May also be set in SecurityContext. If set in both SecurityContext and
6233
PodSecurityContext, the value specified in SecurityContext takes precedence
6234
for that container.
6235
Note that this field cannot be set when spec.os.name is windows.
6236
type: integer
6237
format: int64
6238
seLinuxOptions:
6239
description: |-
6240
The SELinux context to be applied to all containers.
6241
If unspecified, the container runtime will allocate a random SELinux context for each
6242
container. May also be set in SecurityContext. If set in
6243
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
6244
takes precedence for that container.
6245
Note that this field cannot be set when spec.os.name is windows.
6246
type: object
6247
properties:
6248
level:
6249
description: Level is SELinux level label that applies to the container.
6250
type: string
6251
role:
6252
description: Role is a SELinux role label that applies to the container.
6253
type: string
6254
type:
6255
description: Type is a SELinux type label that applies to the container.
6256
type: string
6257
user:
6258
description: User is a SELinux user label that applies to the container.
6259
type: string
6260
seccompProfile:
6261
description: |-
6262
The seccomp options to use by the containers in this pod.
6263
Note that this field cannot be set when spec.os.name is windows.
6264
type: object
6265
required:
6266
- type
6267
properties:
6268
localhostProfile:
6269
description: |-
6270
localhostProfile indicates a profile defined in a file on the node should be used.
6271
The profile must be preconfigured on the node to work.
6272
Must be a descending path, relative to the kubelet's configured seccomp profile location.
6273
Must be set if type is "Localhost". Must NOT be set for any other type.
6274
type: string
6275
type:
6276
description: |-
6277
type indicates which kind of seccomp profile will be applied.
6278
Valid options are:
6279
6280
Localhost - a profile defined in a file on the node should be used.
6281
RuntimeDefault - the container runtime default profile should be used.
6282
Unconfined - no profile should be applied.
6283
type: string
6284
supplementalGroups:
6285
description: |-
6286
A list of groups applied to the first process run in each container, in addition
6287
to the container's primary GID, the fsGroup (if specified), and group memberships
6288
defined in the container image for the uid of the container process. If unspecified,
6289
no additional groups are added to any container. Note that group memberships
6290
defined in the container image for the uid of the container process are still effective,
6291
even if they are not included in this list.
6292
Note that this field cannot be set when spec.os.name is windows.
6293
type: array
6294
items:
6295
type: integer
6296
format: int64
6297
sysctls:
6298
description: |-
6299
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
6300
sysctls (by the container runtime) might fail to launch.
6301
Note that this field cannot be set when spec.os.name is windows.
6302
type: array
6303
items:
6304
description: Sysctl defines a kernel parameter to be set
6305
type: object
6306
required:
6307
- name
6308
- value
6309
properties:
6310
name:
6311
description: Name of a property to set
6312
type: string
6313
value:
6314
description: Value of a property to set
6315
type: string
6316
serviceAccountName:
6317
description: If specified, the pod's service account
6318
type: string
6319
tolerations:
6320
description: If specified, the pod's tolerations.
6321
type: array
6322
items:
6323
description: |-
6324
The pod this Toleration is attached to tolerates any taint that matches
6325
the triple using the matching operator .
6326
type: object
6327
properties:
6328
effect:
6329
description: |-
6330
Effect indicates the taint effect to match. Empty means match all taint effects.
6331
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
6332
type: string
6333
key:
6334
description: |-
6335
Key is the taint key that the toleration applies to. Empty means match all taint keys.
6336
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
6337
type: string
6338
operator:
6339
description: |-
6340
Operator represents a key's relationship to the value.
6341
Valid operators are Exists and Equal. Defaults to Equal.
6342
Exists is equivalent to wildcard for value, so that a pod can
6343
tolerate all taints of a particular category.
6344
type: string
6345
tolerationSeconds:
6346
description: |-
6347
TolerationSeconds represents the period of time the toleration (which must be
6348
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
6349
it is not set, which means tolerate the taint forever (do not evict). Zero and
6350
negative values will be treated as 0 (evict immediately) by the system.
6351
type: integer
6352
format: int64
6353
value:
6354
description: |-
6355
Value is the taint value the toleration matches to.
6356
If the operator is Exists, the value should be empty, otherwise just a regular string.
6357
type: string
6358
serviceType:
6359
description: |-
6360
Optional service type for Kubernetes solver service. Supported values
6361
are NodePort or ClusterIP. If unset, defaults to NodePort.
6362
type: string
6363
ingress:
6364
description: |-
6365
The ingress based HTTP01 challenge solver will solve challenges by
6366
creating or modifying Ingress resources in order to route requests for
6367
'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
6368
provisioned by cert-manager for each Challenge to be completed.
6369
type: object
6370
properties:
6371
class:
6372
description: |-
6373
This field configures the annotation `kubernetes.io/ingress.class` when
6374
creating Ingress resources to solve ACME challenges that use this
6375
challenge solver. Only one of `class`, `name` or `ingressClassName` may
6376
be specified.
6377
type: string
6378
ingressClassName:
6379
description: |-
6380
This field configures the field `ingressClassName` on the created Ingress
6381
resources used to solve ACME challenges that use this challenge solver.
6382
This is the recommended way of configuring the ingress class. Only one of
6383
`class`, `name` or `ingressClassName` may be specified.
6384
type: string
6385
ingressTemplate:
6386
description: |-
6387
Optional ingress template used to configure the ACME challenge solver
6388
ingress used for HTTP01 challenges.
6389
type: object
6390
properties:
6391
metadata:
6392
description: |-
6393
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
6394
Only the 'labels' and 'annotations' fields may be set.
6395
If labels or annotations overlap with in-built values, the values here
6396
will override the in-built values.
6397
type: object
6398
properties:
6399
annotations:
6400
description: Annotations that should be added to the created ACME HTTP01 solver ingress.
6401
type: object
6402
additionalProperties:
6403
type: string
6404
labels:
6405
description: Labels that should be added to the created ACME HTTP01 solver ingress.
6406
type: object
6407
additionalProperties:
6408
type: string
6409
name:
6410
description: |-
6411
The name of the ingress resource that should have ACME challenge solving
6412
routes inserted into it in order to solve HTTP01 challenges.
6413
This is typically used in conjunction with ingress controllers like
6414
ingress-gce, which maintains a 1:1 mapping between external IPs and
6415
ingress resources. Only one of `class`, `name` or `ingressClassName` may
6416
be specified.
6417
type: string
6418
podTemplate:
6419
description: |-
6420
Optional pod template used to configure the ACME challenge solver pods
6421
used for HTTP01 challenges.
6422
type: object
6423
properties:
6424
metadata:
6425
description: |-
6426
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
6427
Only the 'labels' and 'annotations' fields may be set.
6428
If labels or annotations overlap with in-built values, the values here
6429
will override the in-built values.
6430
type: object
6431
properties:
6432
annotations:
6433
description: Annotations that should be added to the created ACME HTTP01 solver pods.
6434
type: object
6435
additionalProperties:
6436
type: string
6437
labels:
6438
description: Labels that should be added to the created ACME HTTP01 solver pods.
6439
type: object
6440
additionalProperties:
6441
type: string
6442
spec:
6443
description: |-
6444
PodSpec defines overrides for the HTTP01 challenge solver pod.
6445
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
6446
All other fields will be ignored.
6447
type: object
6448
properties:
6449
affinity:
6450
description: If specified, the pod's scheduling constraints
6451
type: object
6452
properties:
6453
nodeAffinity:
6454
description: Describes node affinity scheduling rules for the pod.
6455
type: object
6456
properties:
6457
preferredDuringSchedulingIgnoredDuringExecution:
6458
description: |-
6459
The scheduler will prefer to schedule pods to nodes that satisfy
6460
the affinity expressions specified by this field, but it may choose
6461
a node that violates one or more of the expressions. The node that is
6462
most preferred is the one with the greatest sum of weights, i.e.
6463
for each node that meets all of the scheduling requirements (resource
6464
request, requiredDuringScheduling affinity expressions, etc.),
6465
compute a sum by iterating through the elements of this field and adding
6466
"weight" to the sum if the node matches the corresponding matchExpressions; the
6467
node(s) with the highest sum are the most preferred.
6468
type: array
6469
items:
6470
description: |-
6471
An empty preferred scheduling term matches all objects with implicit weight 0
6472
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
6473
type: object
6474
required:
6475
- preference
6476
- weight
6477
properties:
6478
preference:
6479
description: A node selector term, associated with the corresponding weight.
6480
type: object
6481
properties:
6482
matchExpressions:
6483
description: A list of node selector requirements by node's labels.
6484
type: array
6485
items:
6486
description: |-
6487
A node selector requirement is a selector that contains values, a key, and an operator
6488
that relates the key and values.
6489
type: object
6490
required:
6491
- key
6492
- operator
6493
properties:
6494
key:
6495
description: The label key that the selector applies to.
6496
type: string
6497
operator:
6498
description: |-
6499
Represents a key's relationship to a set of values.
6500
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6501
type: string
6502
values:
6503
description: |-
6504
An array of string values. If the operator is In or NotIn,
6505
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6506
the values array must be empty. If the operator is Gt or Lt, the values
6507
array must have a single element, which will be interpreted as an integer.
6508
This array is replaced during a strategic merge patch.
6509
type: array
6510
items:
6511
type: string
6512
x-kubernetes-list-type: atomic
6513
x-kubernetes-list-type: atomic
6514
matchFields:
6515
description: A list of node selector requirements by node's fields.
6516
type: array
6517
items:
6518
description: |-
6519
A node selector requirement is a selector that contains values, a key, and an operator
6520
that relates the key and values.
6521
type: object
6522
required:
6523
- key
6524
- operator
6525
properties:
6526
key:
6527
description: The label key that the selector applies to.
6528
type: string
6529
operator:
6530
description: |-
6531
Represents a key's relationship to a set of values.
6532
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6533
type: string
6534
values:
6535
description: |-
6536
An array of string values. If the operator is In or NotIn,
6537
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6538
the values array must be empty. If the operator is Gt or Lt, the values
6539
array must have a single element, which will be interpreted as an integer.
6540
This array is replaced during a strategic merge patch.
6541
type: array
6542
items:
6543
type: string
6544
x-kubernetes-list-type: atomic
6545
x-kubernetes-list-type: atomic
6546
x-kubernetes-map-type: atomic
6547
weight:
6548
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
6549
type: integer
6550
format: int32
6551
x-kubernetes-list-type: atomic
6552
requiredDuringSchedulingIgnoredDuringExecution:
6553
description: |-
6554
If the affinity requirements specified by this field are not met at
6555
scheduling time, the pod will not be scheduled onto the node.
6556
If the affinity requirements specified by this field cease to be met
6557
at some point during pod execution (e.g. due to an update), the system
6558
may or may not try to eventually evict the pod from its node.
6559
type: object
6560
required:
6561
- nodeSelectorTerms
6562
properties:
6563
nodeSelectorTerms:
6564
description: Required. A list of node selector terms. The terms are ORed.
6565
type: array
6566
items:
6567
description: |-
6568
A null or empty node selector term matches no objects. The requirements of
6569
them are ANDed.
6570
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
6571
type: object
6572
properties:
6573
matchExpressions:
6574
description: A list of node selector requirements by node's labels.
6575
type: array
6576
items:
6577
description: |-
6578
A node selector requirement is a selector that contains values, a key, and an operator
6579
that relates the key and values.
6580
type: object
6581
required:
6582
- key
6583
- operator
6584
properties:
6585
key:
6586
description: The label key that the selector applies to.
6587
type: string
6588
operator:
6589
description: |-
6590
Represents a key's relationship to a set of values.
6591
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6592
type: string
6593
values:
6594
description: |-
6595
An array of string values. If the operator is In or NotIn,
6596
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6597
the values array must be empty. If the operator is Gt or Lt, the values
6598
array must have a single element, which will be interpreted as an integer.
6599
This array is replaced during a strategic merge patch.
6600
type: array
6601
items:
6602
type: string
6603
x-kubernetes-list-type: atomic
6604
x-kubernetes-list-type: atomic
6605
matchFields:
6606
description: A list of node selector requirements by node's fields.
6607
type: array
6608
items:
6609
description: |-
6610
A node selector requirement is a selector that contains values, a key, and an operator
6611
that relates the key and values.
6612
type: object
6613
required:
6614
- key
6615
- operator
6616
properties:
6617
key:
6618
description: The label key that the selector applies to.
6619
type: string
6620
operator:
6621
description: |-
6622
Represents a key's relationship to a set of values.
6623
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6624
type: string
6625
values:
6626
description: |-
6627
An array of string values. If the operator is In or NotIn,
6628
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6629
the values array must be empty. If the operator is Gt or Lt, the values
6630
array must have a single element, which will be interpreted as an integer.
6631
This array is replaced during a strategic merge patch.
6632
type: array
6633
items:
6634
type: string
6635
x-kubernetes-list-type: atomic
6636
x-kubernetes-list-type: atomic
6637
x-kubernetes-map-type: atomic
6638
x-kubernetes-list-type: atomic
6639
x-kubernetes-map-type: atomic
6640
podAffinity:
6641
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
6642
type: object
6643
properties:
6644
preferredDuringSchedulingIgnoredDuringExecution:
6645
description: |-
6646
The scheduler will prefer to schedule pods to nodes that satisfy
6647
the affinity expressions specified by this field, but it may choose
6648
a node that violates one or more of the expressions. The node that is
6649
most preferred is the one with the greatest sum of weights, i.e.
6650
for each node that meets all of the scheduling requirements (resource
6651
request, requiredDuringScheduling affinity expressions, etc.),
6652
compute a sum by iterating through the elements of this field and adding
6653
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
6654
node(s) with the highest sum are the most preferred.
6655
type: array
6656
items:
6657
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6658
type: object
6659
required:
6660
- podAffinityTerm
6661
- weight
6662
properties:
6663
podAffinityTerm:
6664
description: Required. A pod affinity term, associated with the corresponding weight.
6665
type: object
6666
required:
6667
- topologyKey
6668
properties:
6669
labelSelector:
6670
description: |-
6671
A label query over a set of resources, in this case pods.
6672
If it's null, this PodAffinityTerm matches with no Pods.
6673
type: object
6674
properties:
6675
matchExpressions:
6676
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6677
type: array
6678
items:
6679
description: |-
6680
A label selector requirement is a selector that contains values, a key, and an operator that
6681
relates the key and values.
6682
type: object
6683
required:
6684
- key
6685
- operator
6686
properties:
6687
key:
6688
description: key is the label key that the selector applies to.
6689
type: string
6690
operator:
6691
description: |-
6692
operator represents a key's relationship to a set of values.
6693
Valid operators are In, NotIn, Exists and DoesNotExist.
6694
type: string
6695
values:
6696
description: |-
6697
values is an array of string values. If the operator is In or NotIn,
6698
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6699
the values array must be empty. This array is replaced during a strategic
6700
merge patch.
6701
type: array
6702
items:
6703
type: string
6704
x-kubernetes-list-type: atomic
6705
x-kubernetes-list-type: atomic
6706
matchLabels:
6707
description: |-
6708
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6709
map is equivalent to an element of matchExpressions, whose key field is "key", the
6710
operator is "In", and the values array contains only "value". The requirements are ANDed.
6711
type: object
6712
additionalProperties:
6713
type: string
6714
x-kubernetes-map-type: atomic
6715
matchLabelKeys:
6716
description: |-
6717
MatchLabelKeys is a set of pod label keys to select which pods will
6718
be taken into consideration. The keys are used to lookup values from the
6719
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
6720
to select the group of existing pods which pods will be taken into consideration
6721
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
6722
pod labels will be ignored. The default value is empty.
6723
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
6724
Also, matchLabelKeys cannot be set when labelSelector isn't set.
6725
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
6726
type: array
6727
items:
6728
type: string
6729
x-kubernetes-list-type: atomic
6730
mismatchLabelKeys:
6731
description: |-
6732
MismatchLabelKeys is a set of pod label keys to select which pods will
6733
be taken into consideration. The keys are used to lookup values from the
6734
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
6735
to select the group of existing pods which pods will be taken into consideration
6736
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
6737
pod labels will be ignored. The default value is empty.
6738
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
6739
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
6740
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
6741
type: array
6742
items:
6743
type: string
6744
x-kubernetes-list-type: atomic
6745
namespaceSelector:
6746
description: |-
6747
A label query over the set of namespaces that the term applies to.
6748
The term is applied to the union of the namespaces selected by this field
6749
and the ones listed in the namespaces field.
6750
null selector and null or empty namespaces list means "this pod's namespace".
6751
An empty selector ({}) matches all namespaces.
6752
type: object
6753
properties:
6754
matchExpressions:
6755
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6756
type: array
6757
items:
6758
description: |-
6759
A label selector requirement is a selector that contains values, a key, and an operator that
6760
relates the key and values.
6761
type: object
6762
required:
6763
- key
6764
- operator
6765
properties:
6766
key:
6767
description: key is the label key that the selector applies to.
6768
type: string
6769
operator:
6770
description: |-
6771
operator represents a key's relationship to a set of values.
6772
Valid operators are In, NotIn, Exists and DoesNotExist.
6773
type: string
6774
values:
6775
description: |-
6776
values is an array of string values. If the operator is In or NotIn,
6777
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6778
the values array must be empty. This array is replaced during a strategic
6779
merge patch.
6780
type: array
6781
items:
6782
type: string
6783
x-kubernetes-list-type: atomic
6784
x-kubernetes-list-type: atomic
6785
matchLabels:
6786
description: |-
6787
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6788
map is equivalent to an element of matchExpressions, whose key field is "key", the
6789
operator is "In", and the values array contains only "value". The requirements are ANDed.
6790
type: object
6791
additionalProperties:
6792
type: string
6793
x-kubernetes-map-type: atomic
6794
namespaces:
6795
description: |-
6796
namespaces specifies a static list of namespace names that the term applies to.
6797
The term is applied to the union of the namespaces listed in this field
6798
and the ones selected by namespaceSelector.
6799
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
6800
type: array
6801
items:
6802
type: string
6803
x-kubernetes-list-type: atomic
6804
topologyKey:
6805
description: |-
6806
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
6807
the labelSelector in the specified namespaces, where co-located is defined as running on a node
6808
whose value of the label with key topologyKey matches that of any node on which any of the
6809
selected pods is running.
6810
Empty topologyKey is not allowed.
6811
type: string
6812
weight:
6813
description: |-
6814
weight associated with matching the corresponding podAffinityTerm,
6815
in the range 1-100.
6816
type: integer
6817
format: int32
6818
x-kubernetes-list-type: atomic
6819
requiredDuringSchedulingIgnoredDuringExecution:
6820
description: |-
6821
If the affinity requirements specified by this field are not met at
6822
scheduling time, the pod will not be scheduled onto the node.
6823
If the affinity requirements specified by this field cease to be met
6824
at some point during pod execution (e.g. due to a pod label update), the
6825
system may or may not try to eventually evict the pod from its node.
6826
When there are multiple elements, the lists of nodes corresponding to each
6827
podAffinityTerm are intersected, i.e. all terms must be satisfied.
6828
type: array
6829
items:
6830
description: |-
6831
Defines a set of pods (namely those matching the labelSelector
6832
relative to the given namespace(s)) that this pod should be
6833
co-located (affinity) or not co-located (anti-affinity) with,
6834
where co-located is defined as running on a node whose value of
6835
the label with key matches that of any node on which
6836
a pod of the set of pods is running
6837
type: object
6838
required:
6839
- topologyKey
6840
properties:
6841
labelSelector:
6842
description: |-
6843
A label query over a set of resources, in this case pods.
6844
If it's null, this PodAffinityTerm matches with no Pods.
6845
type: object
6846
properties:
6847
matchExpressions:
6848
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6849
type: array
6850
items:
6851
description: |-
6852
A label selector requirement is a selector that contains values, a key, and an operator that
6853
relates the key and values.
6854
type: object
6855
required:
6856
- key
6857
- operator
6858
properties:
6859
key:
6860
description: key is the label key that the selector applies to.
6861
type: string
6862
operator:
6863
description: |-
6864
operator represents a key's relationship to a set of values.
6865
Valid operators are In, NotIn, Exists and DoesNotExist.
6866
type: string
6867
values:
6868
description: |-
6869
values is an array of string values. If the operator is In or NotIn,
6870
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6871
the values array must be empty. This array is replaced during a strategic
6872
merge patch.
6873
type: array
6874
items:
6875
type: string
6876
x-kubernetes-list-type: atomic
6877
x-kubernetes-list-type: atomic
6878
matchLabels:
6879
description: |-
6880
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6881
map is equivalent to an element of matchExpressions, whose key field is "key", the
6882
operator is "In", and the values array contains only "value". The requirements are ANDed.
6883
type: object
6884
additionalProperties:
6885
type: string
6886
x-kubernetes-map-type: atomic
6887
matchLabelKeys:
6888
description: |-
6889
MatchLabelKeys is a set of pod label keys to select which pods will
6890
be taken into consideration. The keys are used to lookup values from the
6891
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
6892
to select the group of existing pods which pods will be taken into consideration
6893
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
6894
pod labels will be ignored. The default value is empty.
6895
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
6896
Also, matchLabelKeys cannot be set when labelSelector isn't set.
6897
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
6898
type: array
6899
items:
6900
type: string
6901
x-kubernetes-list-type: atomic
6902
mismatchLabelKeys:
6903
description: |-
6904
MismatchLabelKeys is a set of pod label keys to select which pods will
6905
be taken into consideration. The keys are used to lookup values from the
6906
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
6907
to select the group of existing pods which pods will be taken into consideration
6908
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
6909
pod labels will be ignored. The default value is empty.
6910
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
6911
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
6912
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
6913
type: array
6914
items:
6915
type: string
6916
x-kubernetes-list-type: atomic
6917
namespaceSelector:
6918
description: |-
6919
A label query over the set of namespaces that the term applies to.
6920
The term is applied to the union of the namespaces selected by this field
6921
and the ones listed in the namespaces field.
6922
null selector and null or empty namespaces list means "this pod's namespace".
6923
An empty selector ({}) matches all namespaces.
6924
type: object
6925
properties:
6926
matchExpressions:
6927
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6928
type: array
6929
items:
6930
description: |-
6931
A label selector requirement is a selector that contains values, a key, and an operator that
6932
relates the key and values.
6933
type: object
6934
required:
6935
- key
6936
- operator
6937
properties:
6938
key:
6939
description: key is the label key that the selector applies to.
6940
type: string
6941
operator:
6942
description: |-
6943
operator represents a key's relationship to a set of values.
6944
Valid operators are In, NotIn, Exists and DoesNotExist.
6945
type: string
6946
values:
6947
description: |-
6948
values is an array of string values. If the operator is In or NotIn,
6949
the values array must be non-empty. If the operator is Exists or DoesNotExist,
6950
the values array must be empty. This array is replaced during a strategic
6951
merge patch.
6952
type: array
6953
items:
6954
type: string
6955
x-kubernetes-list-type: atomic
6956
x-kubernetes-list-type: atomic
6957
matchLabels:
6958
description: |-
6959
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
6960
map is equivalent to an element of matchExpressions, whose key field is "key", the
6961
operator is "In", and the values array contains only "value". The requirements are ANDed.
6962
type: object
6963
additionalProperties:
6964
type: string
6965
x-kubernetes-map-type: atomic
6966
namespaces:
6967
description: |-
6968
namespaces specifies a static list of namespace names that the term applies to.
6969
The term is applied to the union of the namespaces listed in this field
6970
and the ones selected by namespaceSelector.
6971
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
6972
type: array
6973
items:
6974
type: string
6975
x-kubernetes-list-type: atomic
6976
topologyKey:
6977
description: |-
6978
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
6979
the labelSelector in the specified namespaces, where co-located is defined as running on a node
6980
whose value of the label with key topologyKey matches that of any node on which any of the
6981
selected pods is running.
6982
Empty topologyKey is not allowed.
6983
type: string
6984
x-kubernetes-list-type: atomic
6985
podAntiAffinity:
6986
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
6987
type: object
6988
properties:
6989
preferredDuringSchedulingIgnoredDuringExecution:
6990
description: |-
6991
The scheduler will prefer to schedule pods to nodes that satisfy
6992
the anti-affinity expressions specified by this field, but it may choose
6993
a node that violates one or more of the expressions. The node that is
6994
most preferred is the one with the greatest sum of weights, i.e.
6995
for each node that meets all of the scheduling requirements (resource
6996
request, requiredDuringScheduling anti-affinity expressions, etc.),
6997
compute a sum by iterating through the elements of this field and adding
6998
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
6999
node(s) with the highest sum are the most preferred.
7000
type: array
7001
items:
7002
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7003
type: object
7004
required:
7005
- podAffinityTerm
7006
- weight
7007
properties:
7008
podAffinityTerm:
7009
description: Required. A pod affinity term, associated with the corresponding weight.
7010
type: object
7011
required:
7012
- topologyKey
7013
properties:
7014
labelSelector:
7015
description: |-
7016
A label query over a set of resources, in this case pods.
7017
If it's null, this PodAffinityTerm matches with no Pods.
7018
type: object
7019
properties:
7020
matchExpressions:
7021
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7022
type: array
7023
items:
7024
description: |-
7025
A label selector requirement is a selector that contains values, a key, and an operator that
7026
relates the key and values.
7027
type: object
7028
required:
7029
- key
7030
- operator
7031
properties:
7032
key:
7033
description: key is the label key that the selector applies to.
7034
type: string
7035
operator:
7036
description: |-
7037
operator represents a key's relationship to a set of values.
7038
Valid operators are In, NotIn, Exists and DoesNotExist.
7039
type: string
7040
values:
7041
description: |-
7042
values is an array of string values. If the operator is In or NotIn,
7043
the values array must be non-empty. If the operator is Exists or DoesNotExist,
7044
the values array must be empty. This array is replaced during a strategic
7045
merge patch.
7046
type: array
7047
items:
7048
type: string
7049
x-kubernetes-list-type: atomic
7050
x-kubernetes-list-type: atomic
7051
matchLabels:
7052
description: |-
7053
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
7054
map is equivalent to an element of matchExpressions, whose key field is "key", the
7055
operator is "In", and the values array contains only "value". The requirements are ANDed.
7056
type: object
7057
additionalProperties:
7058
type: string
7059
x-kubernetes-map-type: atomic
7060
matchLabelKeys:
7061
description: |-
7062
MatchLabelKeys is a set of pod label keys to select which pods will
7063
be taken into consideration. The keys are used to lookup values from the
7064
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
7065
to select the group of existing pods which pods will be taken into consideration
7066
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
7067
pod labels will be ignored. The default value is empty.
7068
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
7069
Also, matchLabelKeys cannot be set when labelSelector isn't set.
7070
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
7071
type: array
7072
items:
7073
type: string
7074
x-kubernetes-list-type: atomic
7075
mismatchLabelKeys:
7076
description: |-
7077
MismatchLabelKeys is a set of pod label keys to select which pods will
7078
be taken into consideration. The keys are used to lookup values from the
7079
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
7080
to select the group of existing pods which pods will be taken into consideration
7081
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
7082
pod labels will be ignored. The default value is empty.
7083
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
7084
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
7085
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
7086
type: array
7087
items:
7088
type: string
7089
x-kubernetes-list-type: atomic
7090
namespaceSelector:
7091
description: |-
7092
A label query over the set of namespaces that the term applies to.
7093
The term is applied to the union of the namespaces selected by this field
7094
and the ones listed in the namespaces field.
7095
null selector and null or empty namespaces list means "this pod's namespace".
7096
An empty selector ({}) matches all namespaces.
7097
type: object
7098
properties:
7099
matchExpressions:
7100
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7101
type: array
7102
items:
7103
description: |-
7104
A label selector requirement is a selector that contains values, a key, and an operator that
7105
relates the key and values.
7106
type: object
7107
required:
7108
- key
7109
- operator
7110
properties:
7111
key:
7112
description: key is the label key that the selector applies to.
7113
type: string
7114
operator:
7115
description: |-
7116
operator represents a key's relationship to a set of values.
7117
Valid operators are In, NotIn, Exists and DoesNotExist.
7118
type: string
7119
values:
7120
description: |-
7121
values is an array of string values. If the operator is In or NotIn,
7122
the values array must be non-empty. If the operator is Exists or DoesNotExist,
7123
the values array must be empty. This array is replaced during a strategic
7124
merge patch.
7125
type: array
7126
items:
7127
type: string
7128
x-kubernetes-list-type: atomic
7129
x-kubernetes-list-type: atomic
7130
matchLabels:
7131
description: |-
7132
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
7133
map is equivalent to an element of matchExpressions, whose key field is "key", the
7134
operator is "In", and the values array contains only "value". The requirements are ANDed.
7135
type: object
7136
additionalProperties:
7137
type: string
7138
x-kubernetes-map-type: atomic
7139
namespaces:
7140
description: |-
7141
namespaces specifies a static list of namespace names that the term applies to.
7142
The term is applied to the union of the namespaces listed in this field
7143
and the ones selected by namespaceSelector.
7144
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
7145
type: array
7146
items:
7147
type: string
7148
x-kubernetes-list-type: atomic
7149
topologyKey:
7150
description: |-
7151
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
7152
the labelSelector in the specified namespaces, where co-located is defined as running on a node
7153
whose value of the label with key topologyKey matches that of any node on which any of the
7154
selected pods is running.
7155
Empty topologyKey is not allowed.
7156
type: string
7157
weight:
7158
description: |-
7159
weight associated with matching the corresponding podAffinityTerm,
7160
in the range 1-100.
7161
type: integer
7162
format: int32
7163
x-kubernetes-list-type: atomic
7164
requiredDuringSchedulingIgnoredDuringExecution:
7165
description: |-
7166
If the anti-affinity requirements specified by this field are not met at
7167
scheduling time, the pod will not be scheduled onto the node.
7168
If the anti-affinity requirements specified by this field cease to be met
7169
at some point during pod execution (e.g. due to a pod label update), the
7170
system may or may not try to eventually evict the pod from its node.
7171
When there are multiple elements, the lists of nodes corresponding to each
7172
podAffinityTerm are intersected, i.e. all terms must be satisfied.
7173
type: array
7174
items:
7175
description: |-
7176
Defines a set of pods (namely those matching the labelSelector
7177
relative to the given namespace(s)) that this pod should be
7178
co-located (affinity) or not co-located (anti-affinity) with,
7179
where co-located is defined as running on a node whose value of
7180
the label with key matches that of any node on which
7181
a pod of the set of pods is running
7182
type: object
7183
required:
7184
- topologyKey
7185
properties:
7186
labelSelector:
7187
description: |-
7188
A label query over a set of resources, in this case pods.
7189
If it's null, this PodAffinityTerm matches with no Pods.
7190
type: object
7191
properties:
7192
matchExpressions:
7193
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7194
type: array
7195
items:
7196
description: |-
7197
A label selector requirement is a selector that contains values, a key, and an operator that
7198
relates the key and values.
7199
type: object
7200
required:
7201
- key
7202
- operator
7203
properties:
7204
key:
7205
description: key is the label key that the selector applies to.
7206
type: string
7207
operator:
7208
description: |-
7209
operator represents a key's relationship to a set of values.
7210
Valid operators are In, NotIn, Exists and DoesNotExist.
7211
type: string
7212
values:
7213
description: |-
7214
values is an array of string values. If the operator is In or NotIn,
7215
the values array must be non-empty. If the operator is Exists or DoesNotExist,
7216
the values array must be empty. This array is replaced during a strategic
7217
merge patch.
7218
type: array
7219
items:
7220
type: string
7221
x-kubernetes-list-type: atomic
7222
x-kubernetes-list-type: atomic
7223
matchLabels:
7224
description: |-
7225
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
7226
map is equivalent to an element of matchExpressions, whose key field is "key", the
7227
operator is "In", and the values array contains only "value". The requirements are ANDed.
7228
type: object
7229
additionalProperties:
7230
type: string
7231
x-kubernetes-map-type: atomic
7232
matchLabelKeys:
7233
description: |-
7234
MatchLabelKeys is a set of pod label keys to select which pods will
7235
be taken into consideration. The keys are used to lookup values from the
7236
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
7237
to select the group of existing pods which pods will be taken into consideration
7238
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
7239
pod labels will be ignored. The default value is empty.
7240
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
7241
Also, matchLabelKeys cannot be set when labelSelector isn't set.
7242
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
7243
type: array
7244
items:
7245
type: string
7246
x-kubernetes-list-type: atomic
7247
mismatchLabelKeys:
7248
description: |-
7249
MismatchLabelKeys is a set of pod label keys to select which pods will
7250
be taken into consideration. The keys are used to lookup values from the
7251
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
7252
to select the group of existing pods which pods will be taken into consideration
7253
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
7254
pod labels will be ignored. The default value is empty.
7255
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
7256
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
7257
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
7258
type: array
7259
items:
7260
type: string
7261
x-kubernetes-list-type: atomic
7262
namespaceSelector:
7263
description: |-
7264
A label query over the set of namespaces that the term applies to.
7265
The term is applied to the union of the namespaces selected by this field
7266
and the ones listed in the namespaces field.
7267
null selector and null or empty namespaces list means "this pod's namespace".
7268
An empty selector ({}) matches all namespaces.
7269
type: object
7270
properties:
7271
matchExpressions:
7272
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7273
type: array
7274
items:
7275
description: |-
7276
A label selector requirement is a selector that contains values, a key, and an operator that
7277
relates the key and values.
7278
type: object
7279
required:
7280
- key
7281
- operator
7282
properties:
7283
key:
7284
description: key is the label key that the selector applies to.
7285
type: string
7286
operator:
7287
description: |-
7288
operator represents a key's relationship to a set of values.
7289
Valid operators are In, NotIn, Exists and DoesNotExist.
7290
type: string
7291
values:
7292
description: |-
7293
values is an array of string values. If the operator is In or NotIn,
7294
the values array must be non-empty. If the operator is Exists or DoesNotExist,
7295
the values array must be empty. This array is replaced during a strategic
7296
merge patch.
7297
type: array
7298
items:
7299
type: string
7300
x-kubernetes-list-type: atomic
7301
x-kubernetes-list-type: atomic
7302
matchLabels:
7303
description: |-
7304
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
7305
map is equivalent to an element of matchExpressions, whose key field is "key", the
7306
operator is "In", and the values array contains only "value". The requirements are ANDed.
7307
type: object
7308
additionalProperties:
7309
type: string
7310
x-kubernetes-map-type: atomic
7311
namespaces:
7312
description: |-
7313
namespaces specifies a static list of namespace names that the term applies to.
7314
The term is applied to the union of the namespaces listed in this field
7315
and the ones selected by namespaceSelector.
7316
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
7317
type: array
7318
items:
7319
type: string
7320
x-kubernetes-list-type: atomic
7321
topologyKey:
7322
description: |-
7323
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
7324
the labelSelector in the specified namespaces, where co-located is defined as running on a node
7325
whose value of the label with key topologyKey matches that of any node on which any of the
7326
selected pods is running.
7327
Empty topologyKey is not allowed.
7328
type: string
7329
x-kubernetes-list-type: atomic
7330
imagePullSecrets:
7331
description: If specified, the pod's imagePullSecrets
7332
type: array
7333
items:
7334
description: |-
7335
LocalObjectReference contains enough information to let you locate the
7336
referenced object inside the same namespace.
7337
type: object
7338
properties:
7339
name:
7340
description: |-
7341
Name of the referent.
7342
This field is effectively required, but due to backwards compatibility is
7343
allowed to be empty. Instances of this type with an empty value here are
7344
almost certainly wrong.
7345
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7346
type: string
7347
default: ""
7348
x-kubernetes-map-type: atomic
7349
nodeSelector:
7350
description: |-
7351
NodeSelector is a selector which must be true for the pod to fit on a node.
7352
Selector which must match a node's labels for the pod to be scheduled on that node.
7353
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
7354
type: object
7355
additionalProperties:
7356
type: string
7357
priorityClassName:
7358
description: If specified, the pod's priorityClassName.
7359
type: string
7360
securityContext:
7361
description: If specified, the pod's security context
7362
type: object
7363
properties:
7364
fsGroup:
7365
description: |-
7366
A special supplemental group that applies to all containers in a pod.
7367
Some volume types allow the Kubelet to change the ownership of that volume
7368
to be owned by the pod:
7369
7370
1. The owning GID will be the FSGroup
7371
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
7372
3. The permission bits are OR'd with rw-rw----
7373
7374
If unset, the Kubelet will not modify the ownership and permissions of any volume.
7375
Note that this field cannot be set when spec.os.name is windows.
7376
type: integer
7377
format: int64
7378
fsGroupChangePolicy:
7379
description: |-
7380
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
7381
before being exposed inside Pod. This field will only apply to
7382
volume types which support fsGroup based ownership(and permissions).
7383
It will have no effect on ephemeral volume types such as: secret, configmaps
7384
and emptydir.
7385
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
7386
Note that this field cannot be set when spec.os.name is windows.
7387
type: string
7388
runAsGroup:
7389
description: |-
7390
The GID to run the entrypoint of the container process.
7391
Uses runtime default if unset.
7392
May also be set in SecurityContext. If set in both SecurityContext and
7393
PodSecurityContext, the value specified in SecurityContext takes precedence
7394
for that container.
7395
Note that this field cannot be set when spec.os.name is windows.
7396
type: integer
7397
format: int64
7398
runAsNonRoot:
7399
description: |-
7400
Indicates that the container must run as a non-root user.
7401
If true, the Kubelet will validate the image at runtime to ensure that it
7402
does not run as UID 0 (root) and fail to start the container if it does.
7403
If unset or false, no such validation will be performed.
7404
May also be set in SecurityContext. If set in both SecurityContext and
7405
PodSecurityContext, the value specified in SecurityContext takes precedence.
7406
type: boolean
7407
runAsUser:
7408
description: |-
7409
The UID to run the entrypoint of the container process.
7410
Defaults to user specified in image metadata if unspecified.
7411
May also be set in SecurityContext. If set in both SecurityContext and
7412
PodSecurityContext, the value specified in SecurityContext takes precedence
7413
for that container.
7414
Note that this field cannot be set when spec.os.name is windows.
7415
type: integer
7416
format: int64
7417
seLinuxOptions:
7418
description: |-
7419
The SELinux context to be applied to all containers.
7420
If unspecified, the container runtime will allocate a random SELinux context for each
7421
container. May also be set in SecurityContext. If set in
7422
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
7423
takes precedence for that container.
7424
Note that this field cannot be set when spec.os.name is windows.
7425
type: object
7426
properties:
7427
level:
7428
description: Level is SELinux level label that applies to the container.
7429
type: string
7430
role:
7431
description: Role is a SELinux role label that applies to the container.
7432
type: string
7433
type:
7434
description: Type is a SELinux type label that applies to the container.
7435
type: string
7436
user:
7437
description: User is a SELinux user label that applies to the container.
7438
type: string
7439
seccompProfile:
7440
description: |-
7441
The seccomp options to use by the containers in this pod.
7442
Note that this field cannot be set when spec.os.name is windows.
7443
type: object
7444
required:
7445
- type
7446
properties:
7447
localhostProfile:
7448
description: |-
7449
localhostProfile indicates a profile defined in a file on the node should be used.
7450
The profile must be preconfigured on the node to work.
7451
Must be a descending path, relative to the kubelet's configured seccomp profile location.
7452
Must be set if type is "Localhost". Must NOT be set for any other type.
7453
type: string
7454
type:
7455
description: |-
7456
type indicates which kind of seccomp profile will be applied.
7457
Valid options are:
7458
7459
Localhost - a profile defined in a file on the node should be used.
7460
RuntimeDefault - the container runtime default profile should be used.
7461
Unconfined - no profile should be applied.
7462
type: string
7463
supplementalGroups:
7464
description: |-
7465
A list of groups applied to the first process run in each container, in addition
7466
to the container's primary GID, the fsGroup (if specified), and group memberships
7467
defined in the container image for the uid of the container process. If unspecified,
7468
no additional groups are added to any container. Note that group memberships
7469
defined in the container image for the uid of the container process are still effective,
7470
even if they are not included in this list.
7471
Note that this field cannot be set when spec.os.name is windows.
7472
type: array
7473
items:
7474
type: integer
7475
format: int64
7476
sysctls:
7477
description: |-
7478
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
7479
sysctls (by the container runtime) might fail to launch.
7480
Note that this field cannot be set when spec.os.name is windows.
7481
type: array
7482
items:
7483
description: Sysctl defines a kernel parameter to be set
7484
type: object
7485
required:
7486
- name
7487
- value
7488
properties:
7489
name:
7490
description: Name of a property to set
7491
type: string
7492
value:
7493
description: Value of a property to set
7494
type: string
7495
serviceAccountName:
7496
description: If specified, the pod's service account
7497
type: string
7498
tolerations:
7499
description: If specified, the pod's tolerations.
7500
type: array
7501
items:
7502
description: |-
7503
The pod this Toleration is attached to tolerates any taint that matches
7504
the triple using the matching operator .
7505
type: object
7506
properties:
7507
effect:
7508
description: |-
7509
Effect indicates the taint effect to match. Empty means match all taint effects.
7510
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
7511
type: string
7512
key:
7513
description: |-
7514
Key is the taint key that the toleration applies to. Empty means match all taint keys.
7515
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
7516
type: string
7517
operator:
7518
description: |-
7519
Operator represents a key's relationship to the value.
7520
Valid operators are Exists and Equal. Defaults to Equal.
7521
Exists is equivalent to wildcard for value, so that a pod can
7522
tolerate all taints of a particular category.
7523
type: string
7524
tolerationSeconds:
7525
description: |-
7526
TolerationSeconds represents the period of time the toleration (which must be
7527
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
7528
it is not set, which means tolerate the taint forever (do not evict). Zero and
7529
negative values will be treated as 0 (evict immediately) by the system.
7530
type: integer
7531
format: int64
7532
value:
7533
description: |-
7534
Value is the taint value the toleration matches to.
7535
If the operator is Exists, the value should be empty, otherwise just a regular string.
7536
type: string
7537
serviceType:
7538
description: |-
7539
Optional service type for Kubernetes solver service. Supported values
7540
are NodePort or ClusterIP. If unset, defaults to NodePort.
7541
type: string
7542
selector:
7543
description: |-
7544
Selector selects a set of DNSNames on the Certificate resource that
7545
should be solved using this challenge solver.
7546
If not specified, the solver will be treated as the 'default' solver
7547
with the lowest priority, i.e. if any other solver has a more specific
7548
match, it will be used instead.
7549
type: object
7550
properties:
7551
dnsNames:
7552
description: |-
7553
List of DNSNames that this solver will be used to solve.
7554
If specified and a match is found, a dnsNames selector will take
7555
precedence over a dnsZones selector.
7556
If multiple solvers match with the same dnsNames value, the solver
7557
with the most matching labels in matchLabels will be selected.
7558
If neither has more matches, the solver defined earlier in the list
7559
will be selected.
7560
type: array
7561
items:
7562
type: string
7563
dnsZones:
7564
description: |-
7565
List of DNSZones that this solver will be used to solve.
7566
The most specific DNS zone match specified here will take precedence
7567
over other DNS zone matches, so a solver specifying sys.example.com
7568
will be selected over one specifying example.com for the domain
7569
www.sys.example.com.
7570
If multiple solvers match with the same dnsZones value, the solver
7571
with the most matching labels in matchLabels will be selected.
7572
If neither has more matches, the solver defined earlier in the list
7573
will be selected.
7574
type: array
7575
items:
7576
type: string
7577
matchLabels:
7578
description: |-
7579
A label selector that is used to refine the set of certificate's that
7580
this challenge solver will apply to.
7581
type: object
7582
additionalProperties:
7583
type: string
7584
ca:
7585
description: |-
7586
CA configures this issuer to sign certificates using a signing CA keypair
7587
stored in a Secret resource.
7588
This is used to build internal PKIs that are managed by cert-manager.
7589
type: object
7590
required:
7591
- secretName
7592
properties:
7593
crlDistributionPoints:
7594
description: |-
7595
The CRL distribution points is an X.509 v3 certificate extension which identifies
7596
the location of the CRL from which the revocation of this certificate can be checked.
7597
If not set, certificates will be issued without distribution points set.
7598
type: array
7599
items:
7600
type: string
7601
issuingCertificateURLs:
7602
description: |-
7603
IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
7604
it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
7605
As an example, such a URL might be "http://ca.domain.com/ca.crt".
7606
type: array
7607
items:
7608
type: string
7609
ocspServers:
7610
description: |-
7611
The OCSP server list is an X.509 v3 extension that defines a list of
7612
URLs of OCSP responders. The OCSP responders can be queried for the
7613
revocation status of an issued certificate. If not set, the
7614
certificate will be issued with no OCSP servers set. For example, an
7615
OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
7616
type: array
7617
items:
7618
type: string
7619
secretName:
7620
description: |-
7621
SecretName is the name of the secret used to sign Certificates issued
7622
by this Issuer.
7623
type: string
7624
selfSigned:
7625
description: |-
7626
SelfSigned configures this issuer to 'self sign' certificates using the
7627
private key used to create the CertificateRequest object.
7628
type: object
7629
properties:
7630
crlDistributionPoints:
7631
description: |-
7632
The CRL distribution points is an X.509 v3 certificate extension which identifies
7633
the location of the CRL from which the revocation of this certificate can be checked.
7634
If not set certificate will be issued without CDP. Values are strings.
7635
type: array
7636
items:
7637
type: string
7638
vault:
7639
description: |-
7640
Vault configures this issuer to sign certificates using a HashiCorp Vault
7641
PKI backend.
7642
type: object
7643
required:
7644
- auth
7645
- path
7646
- server
7647
properties:
7648
auth:
7649
description: Auth configures how cert-manager authenticates with the Vault server.
7650
type: object
7651
properties:
7652
appRole:
7653
description: |-
7654
AppRole authenticates with Vault using the App Role auth mechanism,
7655
with the role and secret stored in a Kubernetes Secret resource.
7656
type: object
7657
required:
7658
- path
7659
- roleId
7660
- secretRef
7661
properties:
7662
path:
7663
description: |-
7664
Path where the App Role authentication backend is mounted in Vault, e.g:
7665
"approle"
7666
type: string
7667
roleId:
7668
description: |-
7669
RoleID configured in the App Role authentication backend when setting
7670
up the authentication backend in Vault.
7671
type: string
7672
secretRef:
7673
description: |-
7674
Reference to a key in a Secret that contains the App Role secret used
7675
to authenticate with Vault.
7676
The `key` field must be specified and denotes which entry within the Secret
7677
resource is used as the app role secret.
7678
type: object
7679
required:
7680
- name
7681
properties:
7682
key:
7683
description: |-
7684
The key of the entry in the Secret resource's `data` field to be used.
7685
Some instances of this field may be defaulted, in others it may be
7686
required.
7687
type: string
7688
name:
7689
description: |-
7690
Name of the resource being referred to.
7691
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7692
type: string
7693
clientCertificate:
7694
description: |-
7695
ClientCertificate authenticates with Vault by presenting a client
7696
certificate during the request's TLS handshake.
7697
Works only when using HTTPS protocol.
7698
type: object
7699
properties:
7700
mountPath:
7701
description: |-
7702
The Vault mountPath here is the mount path to use when authenticating with
7703
Vault. For example, setting a value to `/v1/auth/foo`, will use the path
7704
`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
7705
default value "/v1/auth/cert" will be used.
7706
type: string
7707
name:
7708
description: |-
7709
Name of the certificate role to authenticate against.
7710
If not set, matching any certificate role, if available.
7711
type: string
7712
secretName:
7713
description: |-
7714
Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
7715
tls.crt and tls.key) used to authenticate to Vault using TLS client
7716
authentication.
7717
type: string
7718
kubernetes:
7719
description: |-
7720
Kubernetes authenticates with Vault by passing the ServiceAccount
7721
token stored in the named Secret resource to the Vault server.
7722
type: object
7723
required:
7724
- role
7725
properties:
7726
mountPath:
7727
description: |-
7728
The Vault mountPath here is the mount path to use when authenticating with
7729
Vault. For example, setting a value to `/v1/auth/foo`, will use the path
7730
`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
7731
default value "/v1/auth/kubernetes" will be used.
7732
type: string
7733
role:
7734
description: |-
7735
A required field containing the Vault Role to assume. A Role binds a
7736
Kubernetes ServiceAccount with a set of Vault policies.
7737
type: string
7738
secretRef:
7739
description: |-
7740
The required Secret field containing a Kubernetes ServiceAccount JWT used
7741
for authenticating with Vault. Use of 'ambient credentials' is not
7742
supported.
7743
type: object
7744
required:
7745
- name
7746
properties:
7747
key:
7748
description: |-
7749
The key of the entry in the Secret resource's `data` field to be used.
7750
Some instances of this field may be defaulted, in others it may be
7751
required.
7752
type: string
7753
name:
7754
description: |-
7755
Name of the resource being referred to.
7756
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7757
type: string
7758
serviceAccountRef:
7759
description: |-
7760
A reference to a service account that will be used to request a bound
7761
token (also known as "projected token"). Compared to using "secretRef",
7762
using this field means that you don't rely on statically bound tokens. To
7763
use this field, you must configure an RBAC rule to let cert-manager
7764
request a token.
7765
type: object
7766
required:
7767
- name
7768
properties:
7769
audiences:
7770
description: |-
7771
TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
7772
consisting of the issuer's namespace and name is always included.
7773
type: array
7774
items:
7775
type: string
7776
name:
7777
description: Name of the ServiceAccount used to request a token.
7778
type: string
7779
tokenSecretRef:
7780
description: TokenSecretRef authenticates with Vault by presenting a token.
7781
type: object
7782
required:
7783
- name
7784
properties:
7785
key:
7786
description: |-
7787
The key of the entry in the Secret resource's `data` field to be used.
7788
Some instances of this field may be defaulted, in others it may be
7789
required.
7790
type: string
7791
name:
7792
description: |-
7793
Name of the resource being referred to.
7794
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7795
type: string
7796
caBundle:
7797
description: |-
7798
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
7799
chain presented by Vault. Only used if using HTTPS to connect to Vault and
7800
ignored for HTTP connections.
7801
Mutually exclusive with CABundleSecretRef.
7802
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
7803
the cert-manager controller container is used to validate the TLS connection.
7804
type: string
7805
format: byte
7806
caBundleSecretRef:
7807
description: |-
7808
Reference to a Secret containing a bundle of PEM-encoded CAs to use when
7809
verifying the certificate chain presented by Vault when using HTTPS.
7810
Mutually exclusive with CABundle.
7811
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
7812
the cert-manager controller container is used to validate the TLS connection.
7813
If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
7814
type: object
7815
required:
7816
- name
7817
properties:
7818
key:
7819
description: |-
7820
The key of the entry in the Secret resource's `data` field to be used.
7821
Some instances of this field may be defaulted, in others it may be
7822
required.
7823
type: string
7824
name:
7825
description: |-
7826
Name of the resource being referred to.
7827
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7828
type: string
7829
clientCertSecretRef:
7830
description: |-
7831
Reference to a Secret containing a PEM-encoded Client Certificate to use when the
7832
Vault server requires mTLS.
7833
type: object
7834
required:
7835
- name
7836
properties:
7837
key:
7838
description: |-
7839
The key of the entry in the Secret resource's `data` field to be used.
7840
Some instances of this field may be defaulted, in others it may be
7841
required.
7842
type: string
7843
name:
7844
description: |-
7845
Name of the resource being referred to.
7846
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7847
type: string
7848
clientKeySecretRef:
7849
description: |-
7850
Reference to a Secret containing a PEM-encoded Client Private Key to use when the
7851
Vault server requires mTLS.
7852
type: object
7853
required:
7854
- name
7855
properties:
7856
key:
7857
description: |-
7858
The key of the entry in the Secret resource's `data` field to be used.
7859
Some instances of this field may be defaulted, in others it may be
7860
required.
7861
type: string
7862
name:
7863
description: |-
7864
Name of the resource being referred to.
7865
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7866
type: string
7867
namespace:
7868
description: |-
7869
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
7870
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
7871
type: string
7872
path:
7873
description: |-
7874
Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
7875
"my_pki_mount/sign/my-role-name".
7876
type: string
7877
server:
7878
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
7879
type: string
7880
venafi:
7881
description: |-
7882
Venafi configures this issuer to sign certificates using a Venafi TPP
7883
or Venafi Cloud policy zone.
7884
type: object
7885
required:
7886
- zone
7887
properties:
7888
cloud:
7889
description: |-
7890
Cloud specifies the Venafi cloud configuration settings.
7891
Only one of TPP or Cloud may be specified.
7892
type: object
7893
required:
7894
- apiTokenSecretRef
7895
properties:
7896
apiTokenSecretRef:
7897
description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
7898
type: object
7899
required:
7900
- name
7901
properties:
7902
key:
7903
description: |-
7904
The key of the entry in the Secret resource's `data` field to be used.
7905
Some instances of this field may be defaulted, in others it may be
7906
required.
7907
type: string
7908
name:
7909
description: |-
7910
Name of the resource being referred to.
7911
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7912
type: string
7913
url:
7914
description: |-
7915
URL is the base URL for Venafi Cloud.
7916
Defaults to "https://api.venafi.cloud/v1".
7917
type: string
7918
tpp:
7919
description: |-
7920
TPP specifies Trust Protection Platform configuration settings.
7921
Only one of TPP or Cloud may be specified.
7922
type: object
7923
required:
7924
- credentialsRef
7925
- url
7926
properties:
7927
caBundle:
7928
description: |-
7929
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
7930
chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
7931
If undefined, the certificate bundle in the cert-manager controller container
7932
is used to validate the chain.
7933
type: string
7934
format: byte
7935
caBundleSecretRef:
7936
description: |-
7937
Reference to a Secret containing a base64-encoded bundle of PEM CAs
7938
which will be used to validate the certificate chain presented by the TPP server.
7939
Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
7940
If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
7941
the cert-manager controller container is used to validate the TLS connection.
7942
type: object
7943
required:
7944
- name
7945
properties:
7946
key:
7947
description: |-
7948
The key of the entry in the Secret resource's `data` field to be used.
7949
Some instances of this field may be defaulted, in others it may be
7950
required.
7951
type: string
7952
name:
7953
description: |-
7954
Name of the resource being referred to.
7955
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7956
type: string
7957
credentialsRef:
7958
description: |-
7959
CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
7960
The secret must contain the key 'access-token' for the Access Token Authentication,
7961
or two keys, 'username' and 'password' for the API Keys Authentication.
7962
type: object
7963
required:
7964
- name
7965
properties:
7966
name:
7967
description: |-
7968
Name of the resource being referred to.
7969
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
7970
type: string
7971
url:
7972
description: |-
7973
URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
7974
for example: "https://tpp.example.com/vedsdk".
7975
type: string
7976
zone:
7977
description: |-
7978
Zone is the Venafi Policy Zone to use for this issuer.
7979
All requests made to the Venafi platform will be restricted by the named
7980
zone policy.
7981
This field is required.
7982
type: string
7983
status:
7984
description: Status of the ClusterIssuer. This is set and managed automatically.
7985
type: object
7986
properties:
7987
acme:
7988
description: |-
7989
ACME specific status options.
7990
This field should only be set if the Issuer is configured to use an ACME
7991
server to issue certificates.
7992
type: object
7993
properties:
7994
lastPrivateKeyHash:
7995
description: |-
7996
LastPrivateKeyHash is a hash of the private key associated with the latest
7997
registered ACME account, in order to track changes made to registered account
7998
associated with the Issuer
7999
type: string
8000
lastRegisteredEmail:
8001
description: |-
8002
LastRegisteredEmail is the email associated with the latest registered
8003
ACME account, in order to track changes made to registered account
8004
associated with the Issuer
8005
type: string
8006
uri:
8007
description: |-
8008
URI is the unique account identifier, which can also be used to retrieve
8009
account details from the CA
8010
type: string
8011
conditions:
8012
description: |-
8013
List of status conditions to indicate the status of a CertificateRequest.
8014
Known condition types are `Ready`.
8015
type: array
8016
items:
8017
description: IssuerCondition contains condition information for an Issuer.
8018
type: object
8019
required:
8020
- status
8021
- type
8022
properties:
8023
lastTransitionTime:
8024
description: |-
8025
LastTransitionTime is the timestamp corresponding to the last status
8026
change of this condition.
8027
type: string
8028
format: date-time
8029
message:
8030
description: |-
8031
Message is a human readable description of the details of the last
8032
transition, complementing reason.
8033
type: string
8034
observedGeneration:
8035
description: |-
8036
If set, this represents the .metadata.generation that the condition was
8037
set based upon.
8038
For instance, if .metadata.generation is currently 12, but the
8039
.status.condition[x].observedGeneration is 9, the condition is out of date
8040
with respect to the current state of the Issuer.
8041
type: integer
8042
format: int64
8043
reason:
8044
description: |-
8045
Reason is a brief machine readable explanation for the condition's last
8046
transition.
8047
type: string
8048
status:
8049
description: Status of the condition, one of (`True`, `False`, `Unknown`).
8050
type: string
8051
enum:
8052
- "True"
8053
- "False"
8054
- Unknown
8055
type:
8056
description: Type of the condition, known values are (`Ready`).
8057
type: string
8058
x-kubernetes-list-map-keys:
8059
- type
8060
x-kubernetes-list-type: map
8061
served: true
8062
storage: true
8063
8064
# END crd
8065
---
8066
# Source: cert-manager/templates/crds.yaml
8067
# START crd
8068
apiVersion: apiextensions.k8s.io/v1
8069
kind: CustomResourceDefinition
8070
metadata:
8071
name: issuers.cert-manager.io
8072
# START annotations
8073
annotations:
8074
helm.sh/resource-policy: keep
8075
# END annotations
8076
labels:
8077
app: 'cert-manager'
8078
app.kubernetes.io/name: 'cert-manager'
8079
app.kubernetes.io/instance: 'cert-manager'
8080
app.kubernetes.io/component: "crds"
8081
# Generated labels
8082
app.kubernetes.io/version: "v1.17.0"
8083
spec:
8084
group: cert-manager.io
8085
names:
8086
kind: Issuer
8087
listKind: IssuerList
8088
plural: issuers
8089
singular: issuer
8090
categories:
8091
- cert-manager
8092
scope: Namespaced
8093
versions:
8094
- name: v1
8095
subresources:
8096
status: {}
8097
additionalPrinterColumns:
8098
- jsonPath: .status.conditions[?(@.type=="Ready")].status
8099
name: Ready
8100
type: string
8101
- jsonPath: .status.conditions[?(@.type=="Ready")].message
8102
name: Status
8103
priority: 1
8104
type: string
8105
- jsonPath: .metadata.creationTimestamp
8106
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
8107
name: Age
8108
type: date
8109
schema:
8110
openAPIV3Schema:
8111
description: |-
8112
An Issuer represents a certificate issuing authority which can be
8113
referenced as part of `issuerRef` fields.
8114
It is scoped to a single namespace and can therefore only be referenced by
8115
resources within the same namespace.
8116
type: object
8117
required:
8118
- spec
8119
properties:
8120
apiVersion:
8121
description: |-
8122
APIVersion defines the versioned schema of this representation of an object.
8123
Servers should convert recognized schemas to the latest internal value, and
8124
may reject unrecognized values.
8125
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
8126
type: string
8127
kind:
8128
description: |-
8129
Kind is a string value representing the REST resource this object represents.
8130
Servers may infer this from the endpoint the client submits requests to.
8131
Cannot be updated.
8132
In CamelCase.
8133
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
8134
type: string
8135
metadata:
8136
type: object
8137
spec:
8138
description: Desired state of the Issuer resource.
8139
type: object
8140
properties:
8141
acme:
8142
description: |-
8143
ACME configures this issuer to communicate with a RFC8555 (ACME) server
8144
to obtain signed x509 certificates.
8145
type: object
8146
required:
8147
- privateKeySecretRef
8148
- server
8149
properties:
8150
caBundle:
8151
description: |-
8152
Base64-encoded bundle of PEM CAs which can be used to validate the certificate
8153
chain presented by the ACME server.
8154
Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
8155
kinds of security vulnerabilities.
8156
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
8157
the container is used to validate the TLS connection.
8158
type: string
8159
format: byte
8160
disableAccountKeyGeneration:
8161
description: |-
8162
Enables or disables generating a new ACME account key.
8163
If true, the Issuer resource will *not* request a new account but will expect
8164
the account key to be supplied via an existing secret.
8165
If false, the cert-manager system will generate a new ACME account key
8166
for the Issuer.
8167
Defaults to false.
8168
type: boolean
8169
email:
8170
description: |-
8171
Email is the email address to be associated with the ACME account.
8172
This field is optional, but it is strongly recommended to be set.
8173
It will be used to contact you in case of issues with your account or
8174
certificates, including expiry notification emails.
8175
This field may be updated after the account is initially registered.
8176
type: string
8177
enableDurationFeature:
8178
description: |-
8179
Enables requesting a Not After date on certificates that matches the
8180
duration of the certificate. This is not supported by all ACME servers
8181
like Let's Encrypt. If set to true when the ACME server does not support
8182
it, it will create an error on the Order.
8183
Defaults to false.
8184
type: boolean
8185
externalAccountBinding:
8186
description: |-
8187
ExternalAccountBinding is a reference to a CA external account of the ACME
8188
server.
8189
If set, upon registration cert-manager will attempt to associate the given
8190
external account credentials with the registered ACME account.
8191
type: object
8192
required:
8193
- keyID
8194
- keySecretRef
8195
properties:
8196
keyAlgorithm:
8197
description: |-
8198
Deprecated: keyAlgorithm field exists for historical compatibility
8199
reasons and should not be used. The algorithm is now hardcoded to HS256
8200
in golang/x/crypto/acme.
8201
type: string
8202
enum:
8203
- HS256
8204
- HS384
8205
- HS512
8206
keyID:
8207
description: keyID is the ID of the CA key that the External Account is bound to.
8208
type: string
8209
keySecretRef:
8210
description: |-
8211
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
8212
Secret which holds the symmetric MAC key of the External Account Binding.
8213
The `key` is the index string that is paired with the key data in the
8214
Secret and should not be confused with the key data itself, or indeed with
8215
the External Account Binding keyID above.
8216
The secret key stored in the Secret **must** be un-padded, base64 URL
8217
encoded data.
8218
type: object
8219
required:
8220
- name
8221
properties:
8222
key:
8223
description: |-
8224
The key of the entry in the Secret resource's `data` field to be used.
8225
Some instances of this field may be defaulted, in others it may be
8226
required.
8227
type: string
8228
name:
8229
description: |-
8230
Name of the resource being referred to.
8231
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8232
type: string
8233
preferredChain:
8234
description: |-
8235
PreferredChain is the chain to use if the ACME server outputs multiple.
8236
PreferredChain is no guarantee that this one gets delivered by the ACME
8237
endpoint.
8238
For example, for Let's Encrypt's DST crosssign you would use:
8239
"DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
8240
This value picks the first certificate bundle in the combined set of
8241
ACME default and alternative chains that has a root-most certificate with
8242
this value as its issuer's commonname.
8243
type: string
8244
maxLength: 64
8245
privateKeySecretRef:
8246
description: |-
8247
PrivateKey is the name of a Kubernetes Secret resource that will be used to
8248
store the automatically generated ACME account private key.
8249
Optionally, a `key` may be specified to select a specific entry within
8250
the named Secret resource.
8251
If `key` is not specified, a default of `tls.key` will be used.
8252
type: object
8253
required:
8254
- name
8255
properties:
8256
key:
8257
description: |-
8258
The key of the entry in the Secret resource's `data` field to be used.
8259
Some instances of this field may be defaulted, in others it may be
8260
required.
8261
type: string
8262
name:
8263
description: |-
8264
Name of the resource being referred to.
8265
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8266
type: string
8267
server:
8268
description: |-
8269
Server is the URL used to access the ACME server's 'directory' endpoint.
8270
For example, for Let's Encrypt's staging endpoint, you would use:
8271
"https://acme-staging-v02.api.letsencrypt.org/directory".
8272
Only ACME v2 endpoints (i.e. RFC 8555) are supported.
8273
type: string
8274
skipTLSVerify:
8275
description: |-
8276
INSECURE: Enables or disables validation of the ACME server TLS certificate.
8277
If true, requests to the ACME server will not have the TLS certificate chain
8278
validated.
8279
Mutually exclusive with CABundle; prefer using CABundle to prevent various
8280
kinds of security vulnerabilities.
8281
Only enable this option in development environments.
8282
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
8283
the container is used to validate the TLS connection.
8284
Defaults to false.
8285
type: boolean
8286
solvers:
8287
description: |-
8288
Solvers is a list of challenge solvers that will be used to solve
8289
ACME challenges for the matching domains.
8290
Solver configurations must be provided in order to obtain certificates
8291
from an ACME server.
8292
For more information, see: https://cert-manager.io/docs/configuration/acme/
8293
type: array
8294
items:
8295
description: |-
8296
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
8297
A selector may be provided to use different solving strategies for different DNS names.
8298
Only one of HTTP01 or DNS01 must be provided.
8299
type: object
8300
properties:
8301
dns01:
8302
description: |-
8303
Configures cert-manager to attempt to complete authorizations by
8304
performing the DNS01 challenge flow.
8305
type: object
8306
properties:
8307
acmeDNS:
8308
description: |-
8309
Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
8310
DNS01 challenge records.
8311
type: object
8312
required:
8313
- accountSecretRef
8314
- host
8315
properties:
8316
accountSecretRef:
8317
description: |-
8318
A reference to a specific 'key' within a Secret resource.
8319
In some instances, `key` is a required field.
8320
type: object
8321
required:
8322
- name
8323
properties:
8324
key:
8325
description: |-
8326
The key of the entry in the Secret resource's `data` field to be used.
8327
Some instances of this field may be defaulted, in others it may be
8328
required.
8329
type: string
8330
name:
8331
description: |-
8332
Name of the resource being referred to.
8333
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8334
type: string
8335
host:
8336
type: string
8337
akamai:
8338
description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
8339
type: object
8340
required:
8341
- accessTokenSecretRef
8342
- clientSecretSecretRef
8343
- clientTokenSecretRef
8344
- serviceConsumerDomain
8345
properties:
8346
accessTokenSecretRef:
8347
description: |-
8348
A reference to a specific 'key' within a Secret resource.
8349
In some instances, `key` is a required field.
8350
type: object
8351
required:
8352
- name
8353
properties:
8354
key:
8355
description: |-
8356
The key of the entry in the Secret resource's `data` field to be used.
8357
Some instances of this field may be defaulted, in others it may be
8358
required.
8359
type: string
8360
name:
8361
description: |-
8362
Name of the resource being referred to.
8363
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8364
type: string
8365
clientSecretSecretRef:
8366
description: |-
8367
A reference to a specific 'key' within a Secret resource.
8368
In some instances, `key` is a required field.
8369
type: object
8370
required:
8371
- name
8372
properties:
8373
key:
8374
description: |-
8375
The key of the entry in the Secret resource's `data` field to be used.
8376
Some instances of this field may be defaulted, in others it may be
8377
required.
8378
type: string
8379
name:
8380
description: |-
8381
Name of the resource being referred to.
8382
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8383
type: string
8384
clientTokenSecretRef:
8385
description: |-
8386
A reference to a specific 'key' within a Secret resource.
8387
In some instances, `key` is a required field.
8388
type: object
8389
required:
8390
- name
8391
properties:
8392
key:
8393
description: |-
8394
The key of the entry in the Secret resource's `data` field to be used.
8395
Some instances of this field may be defaulted, in others it may be
8396
required.
8397
type: string
8398
name:
8399
description: |-
8400
Name of the resource being referred to.
8401
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8402
type: string
8403
serviceConsumerDomain:
8404
type: string
8405
azureDNS:
8406
description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
8407
type: object
8408
required:
8409
- resourceGroupName
8410
- subscriptionID
8411
properties:
8412
clientID:
8413
description: |-
8414
Auth: Azure Service Principal:
8415
The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
8416
If set, ClientSecret and TenantID must also be set.
8417
type: string
8418
clientSecretSecretRef:
8419
description: |-
8420
Auth: Azure Service Principal:
8421
A reference to a Secret containing the password associated with the Service Principal.
8422
If set, ClientID and TenantID must also be set.
8423
type: object
8424
required:
8425
- name
8426
properties:
8427
key:
8428
description: |-
8429
The key of the entry in the Secret resource's `data` field to be used.
8430
Some instances of this field may be defaulted, in others it may be
8431
required.
8432
type: string
8433
name:
8434
description: |-
8435
Name of the resource being referred to.
8436
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8437
type: string
8438
environment:
8439
description: name of the Azure environment (default AzurePublicCloud)
8440
type: string
8441
enum:
8442
- AzurePublicCloud
8443
- AzureChinaCloud
8444
- AzureGermanCloud
8445
- AzureUSGovernmentCloud
8446
hostedZoneName:
8447
description: name of the DNS zone that should be used
8448
type: string
8449
managedIdentity:
8450
description: |-
8451
Auth: Azure Workload Identity or Azure Managed Service Identity:
8452
Settings to enable Azure Workload Identity or Azure Managed Service Identity
8453
If set, ClientID, ClientSecret and TenantID must not be set.
8454
type: object
8455
properties:
8456
clientID:
8457
description: client ID of the managed identity, can not be used at the same time as resourceID
8458
type: string
8459
resourceID:
8460
description: |-
8461
resource ID of the managed identity, can not be used at the same time as clientID
8462
Cannot be used for Azure Managed Service Identity
8463
type: string
8464
tenantID:
8465
description: tenant ID of the managed identity, can not be used at the same time as resourceID
8466
type: string
8467
resourceGroupName:
8468
description: resource group the DNS zone is located in
8469
type: string
8470
subscriptionID:
8471
description: ID of the Azure subscription
8472
type: string
8473
tenantID:
8474
description: |-
8475
Auth: Azure Service Principal:
8476
The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
8477
If set, ClientID and ClientSecret must also be set.
8478
type: string
8479
cloudDNS:
8480
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
8481
type: object
8482
required:
8483
- project
8484
properties:
8485
hostedZoneName:
8486
description: |-
8487
HostedZoneName is an optional field that tells cert-manager in which
8488
Cloud DNS zone the challenge record has to be created.
8489
If left empty cert-manager will automatically choose a zone.
8490
type: string
8491
project:
8492
type: string
8493
serviceAccountSecretRef:
8494
description: |-
8495
A reference to a specific 'key' within a Secret resource.
8496
In some instances, `key` is a required field.
8497
type: object
8498
required:
8499
- name
8500
properties:
8501
key:
8502
description: |-
8503
The key of the entry in the Secret resource's `data` field to be used.
8504
Some instances of this field may be defaulted, in others it may be
8505
required.
8506
type: string
8507
name:
8508
description: |-
8509
Name of the resource being referred to.
8510
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8511
type: string
8512
cloudflare:
8513
description: Use the Cloudflare API to manage DNS01 challenge records.
8514
type: object
8515
properties:
8516
apiKeySecretRef:
8517
description: |-
8518
API key to use to authenticate with Cloudflare.
8519
Note: using an API token to authenticate is now the recommended method
8520
as it allows greater control of permissions.
8521
type: object
8522
required:
8523
- name
8524
properties:
8525
key:
8526
description: |-
8527
The key of the entry in the Secret resource's `data` field to be used.
8528
Some instances of this field may be defaulted, in others it may be
8529
required.
8530
type: string
8531
name:
8532
description: |-
8533
Name of the resource being referred to.
8534
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8535
type: string
8536
apiTokenSecretRef:
8537
description: API token used to authenticate with Cloudflare.
8538
type: object
8539
required:
8540
- name
8541
properties:
8542
key:
8543
description: |-
8544
The key of the entry in the Secret resource's `data` field to be used.
8545
Some instances of this field may be defaulted, in others it may be
8546
required.
8547
type: string
8548
name:
8549
description: |-
8550
Name of the resource being referred to.
8551
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8552
type: string
8553
email:
8554
description: Email of the account, only required when using API key based authentication.
8555
type: string
8556
cnameStrategy:
8557
description: |-
8558
CNAMEStrategy configures how the DNS01 provider should handle CNAME
8559
records when found in DNS zones.
8560
type: string
8561
enum:
8562
- None
8563
- Follow
8564
digitalocean:
8565
description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
8566
type: object
8567
required:
8568
- tokenSecretRef
8569
properties:
8570
tokenSecretRef:
8571
description: |-
8572
A reference to a specific 'key' within a Secret resource.
8573
In some instances, `key` is a required field.
8574
type: object
8575
required:
8576
- name
8577
properties:
8578
key:
8579
description: |-
8580
The key of the entry in the Secret resource's `data` field to be used.
8581
Some instances of this field may be defaulted, in others it may be
8582
required.
8583
type: string
8584
name:
8585
description: |-
8586
Name of the resource being referred to.
8587
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8588
type: string
8589
rfc2136:
8590
description: |-
8591
Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
8592
to manage DNS01 challenge records.
8593
type: object
8594
required:
8595
- nameserver
8596
properties:
8597
nameserver:
8598
description: |-
8599
The IP address or hostname of an authoritative DNS server supporting
8600
RFC2136 in the form host:port. If the host is an IPv6 address it must be
8601
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
8602
This field is required.
8603
type: string
8604
tsigAlgorithm:
8605
description: |-
8606
The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
8607
when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
8608
Supported values are (case-insensitive): ``HMACMD5`` (default),
8609
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
8610
type: string
8611
tsigKeyName:
8612
description: |-
8613
The TSIG Key name configured in the DNS.
8614
If ``tsigSecretSecretRef`` is defined, this field is required.
8615
type: string
8616
tsigSecretSecretRef:
8617
description: |-
8618
The name of the secret containing the TSIG value.
8619
If ``tsigKeyName`` is defined, this field is required.
8620
type: object
8621
required:
8622
- name
8623
properties:
8624
key:
8625
description: |-
8626
The key of the entry in the Secret resource's `data` field to be used.
8627
Some instances of this field may be defaulted, in others it may be
8628
required.
8629
type: string
8630
name:
8631
description: |-
8632
Name of the resource being referred to.
8633
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8634
type: string
8635
route53:
8636
description: Use the AWS Route53 API to manage DNS01 challenge records.
8637
type: object
8638
properties:
8639
accessKeyID:
8640
description: |-
8641
The AccessKeyID is used for authentication.
8642
Cannot be set when SecretAccessKeyID is set.
8643
If neither the Access Key nor Key ID are set, we fall-back to using env
8644
vars, shared credentials file or AWS Instance metadata,
8645
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8646
type: string
8647
accessKeyIDSecretRef:
8648
description: |-
8649
The SecretAccessKey is used for authentication. If set, pull the AWS
8650
access key ID from a key within a Kubernetes Secret.
8651
Cannot be set when AccessKeyID is set.
8652
If neither the Access Key nor Key ID are set, we fall-back to using env
8653
vars, shared credentials file or AWS Instance metadata,
8654
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8655
type: object
8656
required:
8657
- name
8658
properties:
8659
key:
8660
description: |-
8661
The key of the entry in the Secret resource's `data` field to be used.
8662
Some instances of this field may be defaulted, in others it may be
8663
required.
8664
type: string
8665
name:
8666
description: |-
8667
Name of the resource being referred to.
8668
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8669
type: string
8670
auth:
8671
description: Auth configures how cert-manager authenticates.
8672
type: object
8673
required:
8674
- kubernetes
8675
properties:
8676
kubernetes:
8677
description: |-
8678
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
8679
by passing a bound ServiceAccount token.
8680
type: object
8681
required:
8682
- serviceAccountRef
8683
properties:
8684
serviceAccountRef:
8685
description: |-
8686
A reference to a service account that will be used to request a bound
8687
token (also known as "projected token"). To use this field, you must
8688
configure an RBAC rule to let cert-manager request a token.
8689
type: object
8690
required:
8691
- name
8692
properties:
8693
audiences:
8694
description: |-
8695
TokenAudiences is an optional list of audiences to include in the
8696
token passed to AWS. The default token consisting of the issuer's namespace
8697
and name is always included.
8698
If unset the audience defaults to `sts.amazonaws.com`.
8699
type: array
8700
items:
8701
type: string
8702
name:
8703
description: Name of the ServiceAccount used to request a token.
8704
type: string
8705
hostedZoneID:
8706
description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
8707
type: string
8708
region:
8709
description: |-
8710
Override the AWS region.
8711
8712
Route53 is a global service and does not have regional endpoints but the
8713
region specified here (or via environment variables) is used as a hint to
8714
help compute the correct AWS credential scope and partition when it
8715
connects to Route53. See:
8716
- [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
8717
- [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
8718
8719
If you omit this region field, cert-manager will use the region from
8720
AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
8721
in the cert-manager controller Pod.
8722
8723
The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
8724
Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
8725
[Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
8726
In this case this `region` field value is ignored.
8727
8728
The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
8729
Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
8730
[Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
8731
In this case this `region` field value is ignored.
8732
type: string
8733
role:
8734
description: |-
8735
Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
8736
or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
8737
type: string
8738
secretAccessKeySecretRef:
8739
description: |-
8740
The SecretAccessKey is used for authentication.
8741
If neither the Access Key nor Key ID are set, we fall-back to using env
8742
vars, shared credentials file or AWS Instance metadata,
8743
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8744
type: object
8745
required:
8746
- name
8747
properties:
8748
key:
8749
description: |-
8750
The key of the entry in the Secret resource's `data` field to be used.
8751
Some instances of this field may be defaulted, in others it may be
8752
required.
8753
type: string
8754
name:
8755
description: |-
8756
Name of the resource being referred to.
8757
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8758
type: string
8759
webhook:
8760
description: |-
8761
Configure an external webhook based DNS01 challenge solver to manage
8762
DNS01 challenge records.
8763
type: object
8764
required:
8765
- groupName
8766
- solverName
8767
properties:
8768
config:
8769
description: |-
8770
Additional configuration that should be passed to the webhook apiserver
8771
when challenges are processed.
8772
This can contain arbitrary JSON data.
8773
Secret values should not be specified in this stanza.
8774
If secret values are needed (e.g. credentials for a DNS service), you
8775
should use a SecretKeySelector to reference a Secret resource.
8776
For details on the schema of this field, consult the webhook provider
8777
implementation's documentation.
8778
x-kubernetes-preserve-unknown-fields: true
8779
groupName:
8780
description: |-
8781
The API group name that should be used when POSTing ChallengePayload
8782
resources to the webhook apiserver.
8783
This should be the same as the GroupName specified in the webhook
8784
provider implementation.
8785
type: string
8786
solverName:
8787
description: |-
8788
The name of the solver to use, as defined in the webhook provider
8789
implementation.
8790
This will typically be the name of the provider, e.g. 'cloudflare'.
8791
type: string
8792
http01:
8793
description: |-
8794
Configures cert-manager to attempt to complete authorizations by
8795
performing the HTTP01 challenge flow.
8796
It is not possible to obtain certificates for wildcard domain names
8797
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
8798
type: object
8799
properties:
8800
gatewayHTTPRoute:
8801
description: |-
8802
The Gateway API is a sig-network community API that models service networking
8803
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
8804
create HTTPRoutes with the specified labels in the same namespace as the challenge.
8805
This solver is experimental, and fields / behaviour may change in the future.
8806
type: object
8807
properties:
8808
labels:
8809
description: |-
8810
Custom labels that will be applied to HTTPRoutes created by cert-manager
8811
while solving HTTP-01 challenges.
8812
type: object
8813
additionalProperties:
8814
type: string
8815
parentRefs:
8816
description: |-
8817
When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
8818
cert-manager needs to know which parentRefs should be used when creating
8819
the HTTPRoute. Usually, the parentRef references a Gateway. See:
8820
https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
8821
type: array
8822
items:
8823
description: |-
8824
ParentReference identifies an API object (usually a Gateway) that can be considered
8825
a parent of this resource (usually a route). There are two kinds of parent resources
8826
with "Core" support:
8827
8828
* Gateway (Gateway conformance profile)
8829
* Service (Mesh conformance profile, ClusterIP Services only)
8830
8831
This API may be extended in the future to support additional kinds of parent
8832
resources.
8833
8834
The API object must be valid in the cluster; the Group and Kind must
8835
be registered in the cluster for this reference to be valid.
8836
type: object
8837
required:
8838
- name
8839
properties:
8840
group:
8841
description: |-
8842
Group is the group of the referent.
8843
When unspecified, "gateway.networking.k8s.io" is inferred.
8844
To set the core API group (such as for a "Service" kind referent),
8845
Group must be explicitly set to "" (empty string).
8846
8847
Support: Core
8848
type: string
8849
default: gateway.networking.k8s.io
8850
maxLength: 253
8851
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
8852
kind:
8853
description: |-
8854
Kind is kind of the referent.
8855
8856
There are two kinds of parent resources with "Core" support:
8857
8858
* Gateway (Gateway conformance profile)
8859
* Service (Mesh conformance profile, ClusterIP Services only)
8860
8861
Support for other resources is Implementation-Specific.
8862
type: string
8863
default: Gateway
8864
maxLength: 63
8865
minLength: 1
8866
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
8867
name:
8868
description: |-
8869
Name is the name of the referent.
8870
8871
Support: Core
8872
type: string
8873
maxLength: 253
8874
minLength: 1
8875
namespace:
8876
description: |-
8877
Namespace is the namespace of the referent. When unspecified, this refers
8878
to the local namespace of the Route.
8879
8880
Note that there are specific rules for ParentRefs which cross namespace
8881
boundaries. Cross-namespace references are only valid if they are explicitly
8882
allowed by something in the namespace they are referring to. For example:
8883
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
8884
generic way to enable any other kind of cross-namespace reference.
8885
8886
8887
ParentRefs from a Route to a Service in the same namespace are "producer"
8888
routes, which apply default routing rules to inbound connections from
8889
any namespace to the Service.
8890
8891
ParentRefs from a Route to a Service in a different namespace are
8892
"consumer" routes, and these routing rules are only applied to outbound
8893
connections originating from the same namespace as the Route, for which
8894
the intended destination of the connections are a Service targeted as a
8895
ParentRef of the Route.
8896
8897
8898
Support: Core
8899
type: string
8900
maxLength: 63
8901
minLength: 1
8902
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
8903
port:
8904
description: |-
8905
Port is the network port this Route targets. It can be interpreted
8906
differently based on the type of parent resource.
8907
8908
When the parent resource is a Gateway, this targets all listeners
8909
listening on the specified port that also support this kind of Route(and
8910
select this Route). It's not recommended to set `Port` unless the
8911
networking behaviors specified in a Route must apply to a specific port
8912
as opposed to a listener(s) whose port(s) may be changed. When both Port
8913
and SectionName are specified, the name and port of the selected listener
8914
must match both specified values.
8915
8916
8917
When the parent resource is a Service, this targets a specific port in the
8918
Service spec. When both Port (experimental) and SectionName are specified,
8919
the name and port of the selected port must match both specified values.
8920
8921
8922
Implementations MAY choose to support other parent resources.
8923
Implementations supporting other types of parent resources MUST clearly
8924
document how/if Port is interpreted.
8925
8926
For the purpose of status, an attachment is considered successful as
8927
long as the parent resource accepts it partially. For example, Gateway
8928
listeners can restrict which Routes can attach to them by Route kind,
8929
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
8930
from the referencing Route, the Route MUST be considered successfully
8931
attached. If no Gateway listeners accept attachment from this Route,
8932
the Route MUST be considered detached from the Gateway.
8933
8934
Support: Extended
8935
type: integer
8936
format: int32
8937
maximum: 65535
8938
minimum: 1
8939
sectionName:
8940
description: |-
8941
SectionName is the name of a section within the target resource. In the
8942
following resources, SectionName is interpreted as the following:
8943
8944
* Gateway: Listener name. When both Port (experimental) and SectionName
8945
are specified, the name and port of the selected listener must match
8946
both specified values.
8947
* Service: Port name. When both Port (experimental) and SectionName
8948
are specified, the name and port of the selected listener must match
8949
both specified values.
8950
8951
Implementations MAY choose to support attaching Routes to other resources.
8952
If that is the case, they MUST clearly document how SectionName is
8953
interpreted.
8954
8955
When unspecified (empty string), this will reference the entire resource.
8956
For the purpose of status, an attachment is considered successful if at
8957
least one section in the parent resource accepts it. For example, Gateway
8958
listeners can restrict which Routes can attach to them by Route kind,
8959
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
8960
the referencing Route, the Route MUST be considered successfully
8961
attached. If no Gateway listeners accept attachment from this Route, the
8962
Route MUST be considered detached from the Gateway.
8963
8964
Support: Core
8965
type: string
8966
maxLength: 253
8967
minLength: 1
8968
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
8969
podTemplate:
8970
description: |-
8971
Optional pod template used to configure the ACME challenge solver pods
8972
used for HTTP01 challenges.
8973
type: object
8974
properties:
8975
metadata:
8976
description: |-
8977
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
8978
Only the 'labels' and 'annotations' fields may be set.
8979
If labels or annotations overlap with in-built values, the values here
8980
will override the in-built values.
8981
type: object
8982
properties:
8983
annotations:
8984
description: Annotations that should be added to the created ACME HTTP01 solver pods.
8985
type: object
8986
additionalProperties:
8987
type: string
8988
labels:
8989
description: Labels that should be added to the created ACME HTTP01 solver pods.
8990
type: object
8991
additionalProperties:
8992
type: string
8993
spec:
8994
description: |-
8995
PodSpec defines overrides for the HTTP01 challenge solver pod.
8996
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
8997
All other fields will be ignored.
8998
type: object
8999
properties:
9000
affinity:
9001
description: If specified, the pod's scheduling constraints
9002
type: object
9003
properties:
9004
nodeAffinity:
9005
description: Describes node affinity scheduling rules for the pod.
9006
type: object
9007
properties:
9008
preferredDuringSchedulingIgnoredDuringExecution:
9009
description: |-
9010
The scheduler will prefer to schedule pods to nodes that satisfy
9011
the affinity expressions specified by this field, but it may choose
9012
a node that violates one or more of the expressions. The node that is
9013
most preferred is the one with the greatest sum of weights, i.e.
9014
for each node that meets all of the scheduling requirements (resource
9015
request, requiredDuringScheduling affinity expressions, etc.),
9016
compute a sum by iterating through the elements of this field and adding
9017
"weight" to the sum if the node matches the corresponding matchExpressions; the
9018
node(s) with the highest sum are the most preferred.
9019
type: array
9020
items:
9021
description: |-
9022
An empty preferred scheduling term matches all objects with implicit weight 0
9023
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
9024
type: object
9025
required:
9026
- preference
9027
- weight
9028
properties:
9029
preference:
9030
description: A node selector term, associated with the corresponding weight.
9031
type: object
9032
properties:
9033
matchExpressions:
9034
description: A list of node selector requirements by node's labels.
9035
type: array
9036
items:
9037
description: |-
9038
A node selector requirement is a selector that contains values, a key, and an operator
9039
that relates the key and values.
9040
type: object
9041
required:
9042
- key
9043
- operator
9044
properties:
9045
key:
9046
description: The label key that the selector applies to.
9047
type: string
9048
operator:
9049
description: |-
9050
Represents a key's relationship to a set of values.
9051
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9052
type: string
9053
values:
9054
description: |-
9055
An array of string values. If the operator is In or NotIn,
9056
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9057
the values array must be empty. If the operator is Gt or Lt, the values
9058
array must have a single element, which will be interpreted as an integer.
9059
This array is replaced during a strategic merge patch.
9060
type: array
9061
items:
9062
type: string
9063
x-kubernetes-list-type: atomic
9064
x-kubernetes-list-type: atomic
9065
matchFields:
9066
description: A list of node selector requirements by node's fields.
9067
type: array
9068
items:
9069
description: |-
9070
A node selector requirement is a selector that contains values, a key, and an operator
9071
that relates the key and values.
9072
type: object
9073
required:
9074
- key
9075
- operator
9076
properties:
9077
key:
9078
description: The label key that the selector applies to.
9079
type: string
9080
operator:
9081
description: |-
9082
Represents a key's relationship to a set of values.
9083
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9084
type: string
9085
values:
9086
description: |-
9087
An array of string values. If the operator is In or NotIn,
9088
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9089
the values array must be empty. If the operator is Gt or Lt, the values
9090
array must have a single element, which will be interpreted as an integer.
9091
This array is replaced during a strategic merge patch.
9092
type: array
9093
items:
9094
type: string
9095
x-kubernetes-list-type: atomic
9096
x-kubernetes-list-type: atomic
9097
x-kubernetes-map-type: atomic
9098
weight:
9099
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
9100
type: integer
9101
format: int32
9102
x-kubernetes-list-type: atomic
9103
requiredDuringSchedulingIgnoredDuringExecution:
9104
description: |-
9105
If the affinity requirements specified by this field are not met at
9106
scheduling time, the pod will not be scheduled onto the node.
9107
If the affinity requirements specified by this field cease to be met
9108
at some point during pod execution (e.g. due to an update), the system
9109
may or may not try to eventually evict the pod from its node.
9110
type: object
9111
required:
9112
- nodeSelectorTerms
9113
properties:
9114
nodeSelectorTerms:
9115
description: Required. A list of node selector terms. The terms are ORed.
9116
type: array
9117
items:
9118
description: |-
9119
A null or empty node selector term matches no objects. The requirements of
9120
them are ANDed.
9121
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
9122
type: object
9123
properties:
9124
matchExpressions:
9125
description: A list of node selector requirements by node's labels.
9126
type: array
9127
items:
9128
description: |-
9129
A node selector requirement is a selector that contains values, a key, and an operator
9130
that relates the key and values.
9131
type: object
9132
required:
9133
- key
9134
- operator
9135
properties:
9136
key:
9137
description: The label key that the selector applies to.
9138
type: string
9139
operator:
9140
description: |-
9141
Represents a key's relationship to a set of values.
9142
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9143
type: string
9144
values:
9145
description: |-
9146
An array of string values. If the operator is In or NotIn,
9147
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9148
the values array must be empty. If the operator is Gt or Lt, the values
9149
array must have a single element, which will be interpreted as an integer.
9150
This array is replaced during a strategic merge patch.
9151
type: array
9152
items:
9153
type: string
9154
x-kubernetes-list-type: atomic
9155
x-kubernetes-list-type: atomic
9156
matchFields:
9157
description: A list of node selector requirements by node's fields.
9158
type: array
9159
items:
9160
description: |-
9161
A node selector requirement is a selector that contains values, a key, and an operator
9162
that relates the key and values.
9163
type: object
9164
required:
9165
- key
9166
- operator
9167
properties:
9168
key:
9169
description: The label key that the selector applies to.
9170
type: string
9171
operator:
9172
description: |-
9173
Represents a key's relationship to a set of values.
9174
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9175
type: string
9176
values:
9177
description: |-
9178
An array of string values. If the operator is In or NotIn,
9179
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9180
the values array must be empty. If the operator is Gt or Lt, the values
9181
array must have a single element, which will be interpreted as an integer.
9182
This array is replaced during a strategic merge patch.
9183
type: array
9184
items:
9185
type: string
9186
x-kubernetes-list-type: atomic
9187
x-kubernetes-list-type: atomic
9188
x-kubernetes-map-type: atomic
9189
x-kubernetes-list-type: atomic
9190
x-kubernetes-map-type: atomic
9191
podAffinity:
9192
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
9193
type: object
9194
properties:
9195
preferredDuringSchedulingIgnoredDuringExecution:
9196
description: |-
9197
The scheduler will prefer to schedule pods to nodes that satisfy
9198
the affinity expressions specified by this field, but it may choose
9199
a node that violates one or more of the expressions. The node that is
9200
most preferred is the one with the greatest sum of weights, i.e.
9201
for each node that meets all of the scheduling requirements (resource
9202
request, requiredDuringScheduling affinity expressions, etc.),
9203
compute a sum by iterating through the elements of this field and adding
9204
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
9205
node(s) with the highest sum are the most preferred.
9206
type: array
9207
items:
9208
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
9209
type: object
9210
required:
9211
- podAffinityTerm
9212
- weight
9213
properties:
9214
podAffinityTerm:
9215
description: Required. A pod affinity term, associated with the corresponding weight.
9216
type: object
9217
required:
9218
- topologyKey
9219
properties:
9220
labelSelector:
9221
description: |-
9222
A label query over a set of resources, in this case pods.
9223
If it's null, this PodAffinityTerm matches with no Pods.
9224
type: object
9225
properties:
9226
matchExpressions:
9227
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9228
type: array
9229
items:
9230
description: |-
9231
A label selector requirement is a selector that contains values, a key, and an operator that
9232
relates the key and values.
9233
type: object
9234
required:
9235
- key
9236
- operator
9237
properties:
9238
key:
9239
description: key is the label key that the selector applies to.
9240
type: string
9241
operator:
9242
description: |-
9243
operator represents a key's relationship to a set of values.
9244
Valid operators are In, NotIn, Exists and DoesNotExist.
9245
type: string
9246
values:
9247
description: |-
9248
values is an array of string values. If the operator is In or NotIn,
9249
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9250
the values array must be empty. This array is replaced during a strategic
9251
merge patch.
9252
type: array
9253
items:
9254
type: string
9255
x-kubernetes-list-type: atomic
9256
x-kubernetes-list-type: atomic
9257
matchLabels:
9258
description: |-
9259
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9260
map is equivalent to an element of matchExpressions, whose key field is "key", the
9261
operator is "In", and the values array contains only "value". The requirements are ANDed.
9262
type: object
9263
additionalProperties:
9264
type: string
9265
x-kubernetes-map-type: atomic
9266
matchLabelKeys:
9267
description: |-
9268
MatchLabelKeys is a set of pod label keys to select which pods will
9269
be taken into consideration. The keys are used to lookup values from the
9270
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
9271
to select the group of existing pods which pods will be taken into consideration
9272
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9273
pod labels will be ignored. The default value is empty.
9274
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
9275
Also, matchLabelKeys cannot be set when labelSelector isn't set.
9276
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9277
type: array
9278
items:
9279
type: string
9280
x-kubernetes-list-type: atomic
9281
mismatchLabelKeys:
9282
description: |-
9283
MismatchLabelKeys is a set of pod label keys to select which pods will
9284
be taken into consideration. The keys are used to lookup values from the
9285
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
9286
to select the group of existing pods which pods will be taken into consideration
9287
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9288
pod labels will be ignored. The default value is empty.
9289
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
9290
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
9291
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9292
type: array
9293
items:
9294
type: string
9295
x-kubernetes-list-type: atomic
9296
namespaceSelector:
9297
description: |-
9298
A label query over the set of namespaces that the term applies to.
9299
The term is applied to the union of the namespaces selected by this field
9300
and the ones listed in the namespaces field.
9301
null selector and null or empty namespaces list means "this pod's namespace".
9302
An empty selector ({}) matches all namespaces.
9303
type: object
9304
properties:
9305
matchExpressions:
9306
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9307
type: array
9308
items:
9309
description: |-
9310
A label selector requirement is a selector that contains values, a key, and an operator that
9311
relates the key and values.
9312
type: object
9313
required:
9314
- key
9315
- operator
9316
properties:
9317
key:
9318
description: key is the label key that the selector applies to.
9319
type: string
9320
operator:
9321
description: |-
9322
operator represents a key's relationship to a set of values.
9323
Valid operators are In, NotIn, Exists and DoesNotExist.
9324
type: string
9325
values:
9326
description: |-
9327
values is an array of string values. If the operator is In or NotIn,
9328
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9329
the values array must be empty. This array is replaced during a strategic
9330
merge patch.
9331
type: array
9332
items:
9333
type: string
9334
x-kubernetes-list-type: atomic
9335
x-kubernetes-list-type: atomic
9336
matchLabels:
9337
description: |-
9338
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9339
map is equivalent to an element of matchExpressions, whose key field is "key", the
9340
operator is "In", and the values array contains only "value". The requirements are ANDed.
9341
type: object
9342
additionalProperties:
9343
type: string
9344
x-kubernetes-map-type: atomic
9345
namespaces:
9346
description: |-
9347
namespaces specifies a static list of namespace names that the term applies to.
9348
The term is applied to the union of the namespaces listed in this field
9349
and the ones selected by namespaceSelector.
9350
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
9351
type: array
9352
items:
9353
type: string
9354
x-kubernetes-list-type: atomic
9355
topologyKey:
9356
description: |-
9357
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
9358
the labelSelector in the specified namespaces, where co-located is defined as running on a node
9359
whose value of the label with key topologyKey matches that of any node on which any of the
9360
selected pods is running.
9361
Empty topologyKey is not allowed.
9362
type: string
9363
weight:
9364
description: |-
9365
weight associated with matching the corresponding podAffinityTerm,
9366
in the range 1-100.
9367
type: integer
9368
format: int32
9369
x-kubernetes-list-type: atomic
9370
requiredDuringSchedulingIgnoredDuringExecution:
9371
description: |-
9372
If the affinity requirements specified by this field are not met at
9373
scheduling time, the pod will not be scheduled onto the node.
9374
If the affinity requirements specified by this field cease to be met
9375
at some point during pod execution (e.g. due to a pod label update), the
9376
system may or may not try to eventually evict the pod from its node.
9377
When there are multiple elements, the lists of nodes corresponding to each
9378
podAffinityTerm are intersected, i.e. all terms must be satisfied.
9379
type: array
9380
items:
9381
description: |-
9382
Defines a set of pods (namely those matching the labelSelector
9383
relative to the given namespace(s)) that this pod should be
9384
co-located (affinity) or not co-located (anti-affinity) with,
9385
where co-located is defined as running on a node whose value of
9386
the label with key matches that of any node on which
9387
a pod of the set of pods is running
9388
type: object
9389
required:
9390
- topologyKey
9391
properties:
9392
labelSelector:
9393
description: |-
9394
A label query over a set of resources, in this case pods.
9395
If it's null, this PodAffinityTerm matches with no Pods.
9396
type: object
9397
properties:
9398
matchExpressions:
9399
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9400
type: array
9401
items:
9402
description: |-
9403
A label selector requirement is a selector that contains values, a key, and an operator that
9404
relates the key and values.
9405
type: object
9406
required:
9407
- key
9408
- operator
9409
properties:
9410
key:
9411
description: key is the label key that the selector applies to.
9412
type: string
9413
operator:
9414
description: |-
9415
operator represents a key's relationship to a set of values.
9416
Valid operators are In, NotIn, Exists and DoesNotExist.
9417
type: string
9418
values:
9419
description: |-
9420
values is an array of string values. If the operator is In or NotIn,
9421
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9422
the values array must be empty. This array is replaced during a strategic
9423
merge patch.
9424
type: array
9425
items:
9426
type: string
9427
x-kubernetes-list-type: atomic
9428
x-kubernetes-list-type: atomic
9429
matchLabels:
9430
description: |-
9431
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9432
map is equivalent to an element of matchExpressions, whose key field is "key", the
9433
operator is "In", and the values array contains only "value". The requirements are ANDed.
9434
type: object
9435
additionalProperties:
9436
type: string
9437
x-kubernetes-map-type: atomic
9438
matchLabelKeys:
9439
description: |-
9440
MatchLabelKeys is a set of pod label keys to select which pods will
9441
be taken into consideration. The keys are used to lookup values from the
9442
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
9443
to select the group of existing pods which pods will be taken into consideration
9444
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9445
pod labels will be ignored. The default value is empty.
9446
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
9447
Also, matchLabelKeys cannot be set when labelSelector isn't set.
9448
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9449
type: array
9450
items:
9451
type: string
9452
x-kubernetes-list-type: atomic
9453
mismatchLabelKeys:
9454
description: |-
9455
MismatchLabelKeys is a set of pod label keys to select which pods will
9456
be taken into consideration. The keys are used to lookup values from the
9457
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
9458
to select the group of existing pods which pods will be taken into consideration
9459
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9460
pod labels will be ignored. The default value is empty.
9461
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
9462
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
9463
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9464
type: array
9465
items:
9466
type: string
9467
x-kubernetes-list-type: atomic
9468
namespaceSelector:
9469
description: |-
9470
A label query over the set of namespaces that the term applies to.
9471
The term is applied to the union of the namespaces selected by this field
9472
and the ones listed in the namespaces field.
9473
null selector and null or empty namespaces list means "this pod's namespace".
9474
An empty selector ({}) matches all namespaces.
9475
type: object
9476
properties:
9477
matchExpressions:
9478
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9479
type: array
9480
items:
9481
description: |-
9482
A label selector requirement is a selector that contains values, a key, and an operator that
9483
relates the key and values.
9484
type: object
9485
required:
9486
- key
9487
- operator
9488
properties:
9489
key:
9490
description: key is the label key that the selector applies to.
9491
type: string
9492
operator:
9493
description: |-
9494
operator represents a key's relationship to a set of values.
9495
Valid operators are In, NotIn, Exists and DoesNotExist.
9496
type: string
9497
values:
9498
description: |-
9499
values is an array of string values. If the operator is In or NotIn,
9500
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9501
the values array must be empty. This array is replaced during a strategic
9502
merge patch.
9503
type: array
9504
items:
9505
type: string
9506
x-kubernetes-list-type: atomic
9507
x-kubernetes-list-type: atomic
9508
matchLabels:
9509
description: |-
9510
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9511
map is equivalent to an element of matchExpressions, whose key field is "key", the
9512
operator is "In", and the values array contains only "value". The requirements are ANDed.
9513
type: object
9514
additionalProperties:
9515
type: string
9516
x-kubernetes-map-type: atomic
9517
namespaces:
9518
description: |-
9519
namespaces specifies a static list of namespace names that the term applies to.
9520
The term is applied to the union of the namespaces listed in this field
9521
and the ones selected by namespaceSelector.
9522
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
9523
type: array
9524
items:
9525
type: string
9526
x-kubernetes-list-type: atomic
9527
topologyKey:
9528
description: |-
9529
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
9530
the labelSelector in the specified namespaces, where co-located is defined as running on a node
9531
whose value of the label with key topologyKey matches that of any node on which any of the
9532
selected pods is running.
9533
Empty topologyKey is not allowed.
9534
type: string
9535
x-kubernetes-list-type: atomic
9536
podAntiAffinity:
9537
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
9538
type: object
9539
properties:
9540
preferredDuringSchedulingIgnoredDuringExecution:
9541
description: |-
9542
The scheduler will prefer to schedule pods to nodes that satisfy
9543
the anti-affinity expressions specified by this field, but it may choose
9544
a node that violates one or more of the expressions. The node that is
9545
most preferred is the one with the greatest sum of weights, i.e.
9546
for each node that meets all of the scheduling requirements (resource
9547
request, requiredDuringScheduling anti-affinity expressions, etc.),
9548
compute a sum by iterating through the elements of this field and adding
9549
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
9550
node(s) with the highest sum are the most preferred.
9551
type: array
9552
items:
9553
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
9554
type: object
9555
required:
9556
- podAffinityTerm
9557
- weight
9558
properties:
9559
podAffinityTerm:
9560
description: Required. A pod affinity term, associated with the corresponding weight.
9561
type: object
9562
required:
9563
- topologyKey
9564
properties:
9565
labelSelector:
9566
description: |-
9567
A label query over a set of resources, in this case pods.
9568
If it's null, this PodAffinityTerm matches with no Pods.
9569
type: object
9570
properties:
9571
matchExpressions:
9572
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9573
type: array
9574
items:
9575
description: |-
9576
A label selector requirement is a selector that contains values, a key, and an operator that
9577
relates the key and values.
9578
type: object
9579
required:
9580
- key
9581
- operator
9582
properties:
9583
key:
9584
description: key is the label key that the selector applies to.
9585
type: string
9586
operator:
9587
description: |-
9588
operator represents a key's relationship to a set of values.
9589
Valid operators are In, NotIn, Exists and DoesNotExist.
9590
type: string
9591
values:
9592
description: |-
9593
values is an array of string values. If the operator is In or NotIn,
9594
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9595
the values array must be empty. This array is replaced during a strategic
9596
merge patch.
9597
type: array
9598
items:
9599
type: string
9600
x-kubernetes-list-type: atomic
9601
x-kubernetes-list-type: atomic
9602
matchLabels:
9603
description: |-
9604
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9605
map is equivalent to an element of matchExpressions, whose key field is "key", the
9606
operator is "In", and the values array contains only "value". The requirements are ANDed.
9607
type: object
9608
additionalProperties:
9609
type: string
9610
x-kubernetes-map-type: atomic
9611
matchLabelKeys:
9612
description: |-
9613
MatchLabelKeys is a set of pod label keys to select which pods will
9614
be taken into consideration. The keys are used to lookup values from the
9615
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
9616
to select the group of existing pods which pods will be taken into consideration
9617
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9618
pod labels will be ignored. The default value is empty.
9619
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
9620
Also, matchLabelKeys cannot be set when labelSelector isn't set.
9621
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9622
type: array
9623
items:
9624
type: string
9625
x-kubernetes-list-type: atomic
9626
mismatchLabelKeys:
9627
description: |-
9628
MismatchLabelKeys is a set of pod label keys to select which pods will
9629
be taken into consideration. The keys are used to lookup values from the
9630
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
9631
to select the group of existing pods which pods will be taken into consideration
9632
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9633
pod labels will be ignored. The default value is empty.
9634
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
9635
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
9636
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9637
type: array
9638
items:
9639
type: string
9640
x-kubernetes-list-type: atomic
9641
namespaceSelector:
9642
description: |-
9643
A label query over the set of namespaces that the term applies to.
9644
The term is applied to the union of the namespaces selected by this field
9645
and the ones listed in the namespaces field.
9646
null selector and null or empty namespaces list means "this pod's namespace".
9647
An empty selector ({}) matches all namespaces.
9648
type: object
9649
properties:
9650
matchExpressions:
9651
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9652
type: array
9653
items:
9654
description: |-
9655
A label selector requirement is a selector that contains values, a key, and an operator that
9656
relates the key and values.
9657
type: object
9658
required:
9659
- key
9660
- operator
9661
properties:
9662
key:
9663
description: key is the label key that the selector applies to.
9664
type: string
9665
operator:
9666
description: |-
9667
operator represents a key's relationship to a set of values.
9668
Valid operators are In, NotIn, Exists and DoesNotExist.
9669
type: string
9670
values:
9671
description: |-
9672
values is an array of string values. If the operator is In or NotIn,
9673
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9674
the values array must be empty. This array is replaced during a strategic
9675
merge patch.
9676
type: array
9677
items:
9678
type: string
9679
x-kubernetes-list-type: atomic
9680
x-kubernetes-list-type: atomic
9681
matchLabels:
9682
description: |-
9683
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9684
map is equivalent to an element of matchExpressions, whose key field is "key", the
9685
operator is "In", and the values array contains only "value". The requirements are ANDed.
9686
type: object
9687
additionalProperties:
9688
type: string
9689
x-kubernetes-map-type: atomic
9690
namespaces:
9691
description: |-
9692
namespaces specifies a static list of namespace names that the term applies to.
9693
The term is applied to the union of the namespaces listed in this field
9694
and the ones selected by namespaceSelector.
9695
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
9696
type: array
9697
items:
9698
type: string
9699
x-kubernetes-list-type: atomic
9700
topologyKey:
9701
description: |-
9702
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
9703
the labelSelector in the specified namespaces, where co-located is defined as running on a node
9704
whose value of the label with key topologyKey matches that of any node on which any of the
9705
selected pods is running.
9706
Empty topologyKey is not allowed.
9707
type: string
9708
weight:
9709
description: |-
9710
weight associated with matching the corresponding podAffinityTerm,
9711
in the range 1-100.
9712
type: integer
9713
format: int32
9714
x-kubernetes-list-type: atomic
9715
requiredDuringSchedulingIgnoredDuringExecution:
9716
description: |-
9717
If the anti-affinity requirements specified by this field are not met at
9718
scheduling time, the pod will not be scheduled onto the node.
9719
If the anti-affinity requirements specified by this field cease to be met
9720
at some point during pod execution (e.g. due to a pod label update), the
9721
system may or may not try to eventually evict the pod from its node.
9722
When there are multiple elements, the lists of nodes corresponding to each
9723
podAffinityTerm are intersected, i.e. all terms must be satisfied.
9724
type: array
9725
items:
9726
description: |-
9727
Defines a set of pods (namely those matching the labelSelector
9728
relative to the given namespace(s)) that this pod should be
9729
co-located (affinity) or not co-located (anti-affinity) with,
9730
where co-located is defined as running on a node whose value of
9731
the label with key matches that of any node on which
9732
a pod of the set of pods is running
9733
type: object
9734
required:
9735
- topologyKey
9736
properties:
9737
labelSelector:
9738
description: |-
9739
A label query over a set of resources, in this case pods.
9740
If it's null, this PodAffinityTerm matches with no Pods.
9741
type: object
9742
properties:
9743
matchExpressions:
9744
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9745
type: array
9746
items:
9747
description: |-
9748
A label selector requirement is a selector that contains values, a key, and an operator that
9749
relates the key and values.
9750
type: object
9751
required:
9752
- key
9753
- operator
9754
properties:
9755
key:
9756
description: key is the label key that the selector applies to.
9757
type: string
9758
operator:
9759
description: |-
9760
operator represents a key's relationship to a set of values.
9761
Valid operators are In, NotIn, Exists and DoesNotExist.
9762
type: string
9763
values:
9764
description: |-
9765
values is an array of string values. If the operator is In or NotIn,
9766
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9767
the values array must be empty. This array is replaced during a strategic
9768
merge patch.
9769
type: array
9770
items:
9771
type: string
9772
x-kubernetes-list-type: atomic
9773
x-kubernetes-list-type: atomic
9774
matchLabels:
9775
description: |-
9776
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9777
map is equivalent to an element of matchExpressions, whose key field is "key", the
9778
operator is "In", and the values array contains only "value". The requirements are ANDed.
9779
type: object
9780
additionalProperties:
9781
type: string
9782
x-kubernetes-map-type: atomic
9783
matchLabelKeys:
9784
description: |-
9785
MatchLabelKeys is a set of pod label keys to select which pods will
9786
be taken into consideration. The keys are used to lookup values from the
9787
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
9788
to select the group of existing pods which pods will be taken into consideration
9789
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9790
pod labels will be ignored. The default value is empty.
9791
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
9792
Also, matchLabelKeys cannot be set when labelSelector isn't set.
9793
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9794
type: array
9795
items:
9796
type: string
9797
x-kubernetes-list-type: atomic
9798
mismatchLabelKeys:
9799
description: |-
9800
MismatchLabelKeys is a set of pod label keys to select which pods will
9801
be taken into consideration. The keys are used to lookup values from the
9802
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
9803
to select the group of existing pods which pods will be taken into consideration
9804
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
9805
pod labels will be ignored. The default value is empty.
9806
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
9807
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
9808
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
9809
type: array
9810
items:
9811
type: string
9812
x-kubernetes-list-type: atomic
9813
namespaceSelector:
9814
description: |-
9815
A label query over the set of namespaces that the term applies to.
9816
The term is applied to the union of the namespaces selected by this field
9817
and the ones listed in the namespaces field.
9818
null selector and null or empty namespaces list means "this pod's namespace".
9819
An empty selector ({}) matches all namespaces.
9820
type: object
9821
properties:
9822
matchExpressions:
9823
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9824
type: array
9825
items:
9826
description: |-
9827
A label selector requirement is a selector that contains values, a key, and an operator that
9828
relates the key and values.
9829
type: object
9830
required:
9831
- key
9832
- operator
9833
properties:
9834
key:
9835
description: key is the label key that the selector applies to.
9836
type: string
9837
operator:
9838
description: |-
9839
operator represents a key's relationship to a set of values.
9840
Valid operators are In, NotIn, Exists and DoesNotExist.
9841
type: string
9842
values:
9843
description: |-
9844
values is an array of string values. If the operator is In or NotIn,
9845
the values array must be non-empty. If the operator is Exists or DoesNotExist,
9846
the values array must be empty. This array is replaced during a strategic
9847
merge patch.
9848
type: array
9849
items:
9850
type: string
9851
x-kubernetes-list-type: atomic
9852
x-kubernetes-list-type: atomic
9853
matchLabels:
9854
description: |-
9855
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
9856
map is equivalent to an element of matchExpressions, whose key field is "key", the
9857
operator is "In", and the values array contains only "value". The requirements are ANDed.
9858
type: object
9859
additionalProperties:
9860
type: string
9861
x-kubernetes-map-type: atomic
9862
namespaces:
9863
description: |-
9864
namespaces specifies a static list of namespace names that the term applies to.
9865
The term is applied to the union of the namespaces listed in this field
9866
and the ones selected by namespaceSelector.
9867
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
9868
type: array
9869
items:
9870
type: string
9871
x-kubernetes-list-type: atomic
9872
topologyKey:
9873
description: |-
9874
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
9875
the labelSelector in the specified namespaces, where co-located is defined as running on a node
9876
whose value of the label with key topologyKey matches that of any node on which any of the
9877
selected pods is running.
9878
Empty topologyKey is not allowed.
9879
type: string
9880
x-kubernetes-list-type: atomic
9881
imagePullSecrets:
9882
description: If specified, the pod's imagePullSecrets
9883
type: array
9884
items:
9885
description: |-
9886
LocalObjectReference contains enough information to let you locate the
9887
referenced object inside the same namespace.
9888
type: object
9889
properties:
9890
name:
9891
description: |-
9892
Name of the referent.
9893
This field is effectively required, but due to backwards compatibility is
9894
allowed to be empty. Instances of this type with an empty value here are
9895
almost certainly wrong.
9896
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
9897
type: string
9898
default: ""
9899
x-kubernetes-map-type: atomic
9900
nodeSelector:
9901
description: |-
9902
NodeSelector is a selector which must be true for the pod to fit on a node.
9903
Selector which must match a node's labels for the pod to be scheduled on that node.
9904
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
9905
type: object
9906
additionalProperties:
9907
type: string
9908
priorityClassName:
9909
description: If specified, the pod's priorityClassName.
9910
type: string
9911
securityContext:
9912
description: If specified, the pod's security context
9913
type: object
9914
properties:
9915
fsGroup:
9916
description: |-
9917
A special supplemental group that applies to all containers in a pod.
9918
Some volume types allow the Kubelet to change the ownership of that volume
9919
to be owned by the pod:
9920
9921
1. The owning GID will be the FSGroup
9922
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
9923
3. The permission bits are OR'd with rw-rw----
9924
9925
If unset, the Kubelet will not modify the ownership and permissions of any volume.
9926
Note that this field cannot be set when spec.os.name is windows.
9927
type: integer
9928
format: int64
9929
fsGroupChangePolicy:
9930
description: |-
9931
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
9932
before being exposed inside Pod. This field will only apply to
9933
volume types which support fsGroup based ownership(and permissions).
9934
It will have no effect on ephemeral volume types such as: secret, configmaps
9935
and emptydir.
9936
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
9937
Note that this field cannot be set when spec.os.name is windows.
9938
type: string
9939
runAsGroup:
9940
description: |-
9941
The GID to run the entrypoint of the container process.
9942
Uses runtime default if unset.
9943
May also be set in SecurityContext. If set in both SecurityContext and
9944
PodSecurityContext, the value specified in SecurityContext takes precedence
9945
for that container.
9946
Note that this field cannot be set when spec.os.name is windows.
9947
type: integer
9948
format: int64
9949
runAsNonRoot:
9950
description: |-
9951
Indicates that the container must run as a non-root user.
9952
If true, the Kubelet will validate the image at runtime to ensure that it
9953
does not run as UID 0 (root) and fail to start the container if it does.
9954
If unset or false, no such validation will be performed.
9955
May also be set in SecurityContext. If set in both SecurityContext and
9956
PodSecurityContext, the value specified in SecurityContext takes precedence.
9957
type: boolean
9958
runAsUser:
9959
description: |-
9960
The UID to run the entrypoint of the container process.
9961
Defaults to user specified in image metadata if unspecified.
9962
May also be set in SecurityContext. If set in both SecurityContext and
9963
PodSecurityContext, the value specified in SecurityContext takes precedence
9964
for that container.
9965
Note that this field cannot be set when spec.os.name is windows.
9966
type: integer
9967
format: int64
9968
seLinuxOptions:
9969
description: |-
9970
The SELinux context to be applied to all containers.
9971
If unspecified, the container runtime will allocate a random SELinux context for each
9972
container. May also be set in SecurityContext. If set in
9973
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
9974
takes precedence for that container.
9975
Note that this field cannot be set when spec.os.name is windows.
9976
type: object
9977
properties:
9978
level:
9979
description: Level is SELinux level label that applies to the container.
9980
type: string
9981
role:
9982
description: Role is a SELinux role label that applies to the container.
9983
type: string
9984
type:
9985
description: Type is a SELinux type label that applies to the container.
9986
type: string
9987
user:
9988
description: User is a SELinux user label that applies to the container.
9989
type: string
9990
seccompProfile:
9991
description: |-
9992
The seccomp options to use by the containers in this pod.
9993
Note that this field cannot be set when spec.os.name is windows.
9994
type: object
9995
required:
9996
- type
9997
properties:
9998
localhostProfile:
9999
description: |-
10000
localhostProfile indicates a profile defined in a file on the node should be used.
10001
The profile must be preconfigured on the node to work.
10002
Must be a descending path, relative to the kubelet's configured seccomp profile location.
10003
Must be set if type is "Localhost". Must NOT be set for any other type.
10004
type: string
10005
type:
10006
description: |-
10007
type indicates which kind of seccomp profile will be applied.
10008
Valid options are:
10009
10010
Localhost - a profile defined in a file on the node should be used.
10011
RuntimeDefault - the container runtime default profile should be used.
10012
Unconfined - no profile should be applied.
10013
type: string
10014
supplementalGroups:
10015
description: |-
10016
A list of groups applied to the first process run in each container, in addition
10017
to the container's primary GID, the fsGroup (if specified), and group memberships
10018
defined in the container image for the uid of the container process. If unspecified,
10019
no additional groups are added to any container. Note that group memberships
10020
defined in the container image for the uid of the container process are still effective,
10021
even if they are not included in this list.
10022
Note that this field cannot be set when spec.os.name is windows.
10023
type: array
10024
items:
10025
type: integer
10026
format: int64
10027
sysctls:
10028
description: |-
10029
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
10030
sysctls (by the container runtime) might fail to launch.
10031
Note that this field cannot be set when spec.os.name is windows.
10032
type: array
10033
items:
10034
description: Sysctl defines a kernel parameter to be set
10035
type: object
10036
required:
10037
- name
10038
- value
10039
properties:
10040
name:
10041
description: Name of a property to set
10042
type: string
10043
value:
10044
description: Value of a property to set
10045
type: string
10046
serviceAccountName:
10047
description: If specified, the pod's service account
10048
type: string
10049
tolerations:
10050
description: If specified, the pod's tolerations.
10051
type: array
10052
items:
10053
description: |-
10054
The pod this Toleration is attached to tolerates any taint that matches
10055
the triple using the matching operator .
10056
type: object
10057
properties:
10058
effect:
10059
description: |-
10060
Effect indicates the taint effect to match. Empty means match all taint effects.
10061
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
10062
type: string
10063
key:
10064
description: |-
10065
Key is the taint key that the toleration applies to. Empty means match all taint keys.
10066
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
10067
type: string
10068
operator:
10069
description: |-
10070
Operator represents a key's relationship to the value.
10071
Valid operators are Exists and Equal. Defaults to Equal.
10072
Exists is equivalent to wildcard for value, so that a pod can
10073
tolerate all taints of a particular category.
10074
type: string
10075
tolerationSeconds:
10076
description: |-
10077
TolerationSeconds represents the period of time the toleration (which must be
10078
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
10079
it is not set, which means tolerate the taint forever (do not evict). Zero and
10080
negative values will be treated as 0 (evict immediately) by the system.
10081
type: integer
10082
format: int64
10083
value:
10084
description: |-
10085
Value is the taint value the toleration matches to.
10086
If the operator is Exists, the value should be empty, otherwise just a regular string.
10087
type: string
10088
serviceType:
10089
description: |-
10090
Optional service type for Kubernetes solver service. Supported values
10091
are NodePort or ClusterIP. If unset, defaults to NodePort.
10092
type: string
10093
ingress:
10094
description: |-
10095
The ingress based HTTP01 challenge solver will solve challenges by
10096
creating or modifying Ingress resources in order to route requests for
10097
'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
10098
provisioned by cert-manager for each Challenge to be completed.
10099
type: object
10100
properties:
10101
class:
10102
description: |-
10103
This field configures the annotation `kubernetes.io/ingress.class` when
10104
creating Ingress resources to solve ACME challenges that use this
10105
challenge solver. Only one of `class`, `name` or `ingressClassName` may
10106
be specified.
10107
type: string
10108
ingressClassName:
10109
description: |-
10110
This field configures the field `ingressClassName` on the created Ingress
10111
resources used to solve ACME challenges that use this challenge solver.
10112
This is the recommended way of configuring the ingress class. Only one of
10113
`class`, `name` or `ingressClassName` may be specified.
10114
type: string
10115
ingressTemplate:
10116
description: |-
10117
Optional ingress template used to configure the ACME challenge solver
10118
ingress used for HTTP01 challenges.
10119
type: object
10120
properties:
10121
metadata:
10122
description: |-
10123
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
10124
Only the 'labels' and 'annotations' fields may be set.
10125
If labels or annotations overlap with in-built values, the values here
10126
will override the in-built values.
10127
type: object
10128
properties:
10129
annotations:
10130
description: Annotations that should be added to the created ACME HTTP01 solver ingress.
10131
type: object
10132
additionalProperties:
10133
type: string
10134
labels:
10135
description: Labels that should be added to the created ACME HTTP01 solver ingress.
10136
type: object
10137
additionalProperties:
10138
type: string
10139
name:
10140
description: |-
10141
The name of the ingress resource that should have ACME challenge solving
10142
routes inserted into it in order to solve HTTP01 challenges.
10143
This is typically used in conjunction with ingress controllers like
10144
ingress-gce, which maintains a 1:1 mapping between external IPs and
10145
ingress resources. Only one of `class`, `name` or `ingressClassName` may
10146
be specified.
10147
type: string
10148
podTemplate:
10149
description: |-
10150
Optional pod template used to configure the ACME challenge solver pods
10151
used for HTTP01 challenges.
10152
type: object
10153
properties:
10154
metadata:
10155
description: |-
10156
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
10157
Only the 'labels' and 'annotations' fields may be set.
10158
If labels or annotations overlap with in-built values, the values here
10159
will override the in-built values.
10160
type: object
10161
properties:
10162
annotations:
10163
description: Annotations that should be added to the created ACME HTTP01 solver pods.
10164
type: object
10165
additionalProperties:
10166
type: string
10167
labels:
10168
description: Labels that should be added to the created ACME HTTP01 solver pods.
10169
type: object
10170
additionalProperties:
10171
type: string
10172
spec:
10173
description: |-
10174
PodSpec defines overrides for the HTTP01 challenge solver pod.
10175
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
10176
All other fields will be ignored.
10177
type: object
10178
properties:
10179
affinity:
10180
description: If specified, the pod's scheduling constraints
10181
type: object
10182
properties:
10183
nodeAffinity:
10184
description: Describes node affinity scheduling rules for the pod.
10185
type: object
10186
properties:
10187
preferredDuringSchedulingIgnoredDuringExecution:
10188
description: |-
10189
The scheduler will prefer to schedule pods to nodes that satisfy
10190
the affinity expressions specified by this field, but it may choose
10191
a node that violates one or more of the expressions. The node that is
10192
most preferred is the one with the greatest sum of weights, i.e.
10193
for each node that meets all of the scheduling requirements (resource
10194
request, requiredDuringScheduling affinity expressions, etc.),
10195
compute a sum by iterating through the elements of this field and adding
10196
"weight" to the sum if the node matches the corresponding matchExpressions; the
10197
node(s) with the highest sum are the most preferred.
10198
type: array
10199
items:
10200
description: |-
10201
An empty preferred scheduling term matches all objects with implicit weight 0
10202
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
10203
type: object
10204
required:
10205
- preference
10206
- weight
10207
properties:
10208
preference:
10209
description: A node selector term, associated with the corresponding weight.
10210
type: object
10211
properties:
10212
matchExpressions:
10213
description: A list of node selector requirements by node's labels.
10214
type: array
10215
items:
10216
description: |-
10217
A node selector requirement is a selector that contains values, a key, and an operator
10218
that relates the key and values.
10219
type: object
10220
required:
10221
- key
10222
- operator
10223
properties:
10224
key:
10225
description: The label key that the selector applies to.
10226
type: string
10227
operator:
10228
description: |-
10229
Represents a key's relationship to a set of values.
10230
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10231
type: string
10232
values:
10233
description: |-
10234
An array of string values. If the operator is In or NotIn,
10235
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10236
the values array must be empty. If the operator is Gt or Lt, the values
10237
array must have a single element, which will be interpreted as an integer.
10238
This array is replaced during a strategic merge patch.
10239
type: array
10240
items:
10241
type: string
10242
x-kubernetes-list-type: atomic
10243
x-kubernetes-list-type: atomic
10244
matchFields:
10245
description: A list of node selector requirements by node's fields.
10246
type: array
10247
items:
10248
description: |-
10249
A node selector requirement is a selector that contains values, a key, and an operator
10250
that relates the key and values.
10251
type: object
10252
required:
10253
- key
10254
- operator
10255
properties:
10256
key:
10257
description: The label key that the selector applies to.
10258
type: string
10259
operator:
10260
description: |-
10261
Represents a key's relationship to a set of values.
10262
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10263
type: string
10264
values:
10265
description: |-
10266
An array of string values. If the operator is In or NotIn,
10267
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10268
the values array must be empty. If the operator is Gt or Lt, the values
10269
array must have a single element, which will be interpreted as an integer.
10270
This array is replaced during a strategic merge patch.
10271
type: array
10272
items:
10273
type: string
10274
x-kubernetes-list-type: atomic
10275
x-kubernetes-list-type: atomic
10276
x-kubernetes-map-type: atomic
10277
weight:
10278
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
10279
type: integer
10280
format: int32
10281
x-kubernetes-list-type: atomic
10282
requiredDuringSchedulingIgnoredDuringExecution:
10283
description: |-
10284
If the affinity requirements specified by this field are not met at
10285
scheduling time, the pod will not be scheduled onto the node.
10286
If the affinity requirements specified by this field cease to be met
10287
at some point during pod execution (e.g. due to an update), the system
10288
may or may not try to eventually evict the pod from its node.
10289
type: object
10290
required:
10291
- nodeSelectorTerms
10292
properties:
10293
nodeSelectorTerms:
10294
description: Required. A list of node selector terms. The terms are ORed.
10295
type: array
10296
items:
10297
description: |-
10298
A null or empty node selector term matches no objects. The requirements of
10299
them are ANDed.
10300
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
10301
type: object
10302
properties:
10303
matchExpressions:
10304
description: A list of node selector requirements by node's labels.
10305
type: array
10306
items:
10307
description: |-
10308
A node selector requirement is a selector that contains values, a key, and an operator
10309
that relates the key and values.
10310
type: object
10311
required:
10312
- key
10313
- operator
10314
properties:
10315
key:
10316
description: The label key that the selector applies to.
10317
type: string
10318
operator:
10319
description: |-
10320
Represents a key's relationship to a set of values.
10321
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10322
type: string
10323
values:
10324
description: |-
10325
An array of string values. If the operator is In or NotIn,
10326
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10327
the values array must be empty. If the operator is Gt or Lt, the values
10328
array must have a single element, which will be interpreted as an integer.
10329
This array is replaced during a strategic merge patch.
10330
type: array
10331
items:
10332
type: string
10333
x-kubernetes-list-type: atomic
10334
x-kubernetes-list-type: atomic
10335
matchFields:
10336
description: A list of node selector requirements by node's fields.
10337
type: array
10338
items:
10339
description: |-
10340
A node selector requirement is a selector that contains values, a key, and an operator
10341
that relates the key and values.
10342
type: object
10343
required:
10344
- key
10345
- operator
10346
properties:
10347
key:
10348
description: The label key that the selector applies to.
10349
type: string
10350
operator:
10351
description: |-
10352
Represents a key's relationship to a set of values.
10353
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10354
type: string
10355
values:
10356
description: |-
10357
An array of string values. If the operator is In or NotIn,
10358
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10359
the values array must be empty. If the operator is Gt or Lt, the values
10360
array must have a single element, which will be interpreted as an integer.
10361
This array is replaced during a strategic merge patch.
10362
type: array
10363
items:
10364
type: string
10365
x-kubernetes-list-type: atomic
10366
x-kubernetes-list-type: atomic
10367
x-kubernetes-map-type: atomic
10368
x-kubernetes-list-type: atomic
10369
x-kubernetes-map-type: atomic
10370
podAffinity:
10371
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
10372
type: object
10373
properties:
10374
preferredDuringSchedulingIgnoredDuringExecution:
10375
description: |-
10376
The scheduler will prefer to schedule pods to nodes that satisfy
10377
the affinity expressions specified by this field, but it may choose
10378
a node that violates one or more of the expressions. The node that is
10379
most preferred is the one with the greatest sum of weights, i.e.
10380
for each node that meets all of the scheduling requirements (resource
10381
request, requiredDuringScheduling affinity expressions, etc.),
10382
compute a sum by iterating through the elements of this field and adding
10383
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
10384
node(s) with the highest sum are the most preferred.
10385
type: array
10386
items:
10387
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10388
type: object
10389
required:
10390
- podAffinityTerm
10391
- weight
10392
properties:
10393
podAffinityTerm:
10394
description: Required. A pod affinity term, associated with the corresponding weight.
10395
type: object
10396
required:
10397
- topologyKey
10398
properties:
10399
labelSelector:
10400
description: |-
10401
A label query over a set of resources, in this case pods.
10402
If it's null, this PodAffinityTerm matches with no Pods.
10403
type: object
10404
properties:
10405
matchExpressions:
10406
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10407
type: array
10408
items:
10409
description: |-
10410
A label selector requirement is a selector that contains values, a key, and an operator that
10411
relates the key and values.
10412
type: object
10413
required:
10414
- key
10415
- operator
10416
properties:
10417
key:
10418
description: key is the label key that the selector applies to.
10419
type: string
10420
operator:
10421
description: |-
10422
operator represents a key's relationship to a set of values.
10423
Valid operators are In, NotIn, Exists and DoesNotExist.
10424
type: string
10425
values:
10426
description: |-
10427
values is an array of string values. If the operator is In or NotIn,
10428
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10429
the values array must be empty. This array is replaced during a strategic
10430
merge patch.
10431
type: array
10432
items:
10433
type: string
10434
x-kubernetes-list-type: atomic
10435
x-kubernetes-list-type: atomic
10436
matchLabels:
10437
description: |-
10438
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10439
map is equivalent to an element of matchExpressions, whose key field is "key", the
10440
operator is "In", and the values array contains only "value". The requirements are ANDed.
10441
type: object
10442
additionalProperties:
10443
type: string
10444
x-kubernetes-map-type: atomic
10445
matchLabelKeys:
10446
description: |-
10447
MatchLabelKeys is a set of pod label keys to select which pods will
10448
be taken into consideration. The keys are used to lookup values from the
10449
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
10450
to select the group of existing pods which pods will be taken into consideration
10451
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10452
pod labels will be ignored. The default value is empty.
10453
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
10454
Also, matchLabelKeys cannot be set when labelSelector isn't set.
10455
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10456
type: array
10457
items:
10458
type: string
10459
x-kubernetes-list-type: atomic
10460
mismatchLabelKeys:
10461
description: |-
10462
MismatchLabelKeys is a set of pod label keys to select which pods will
10463
be taken into consideration. The keys are used to lookup values from the
10464
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
10465
to select the group of existing pods which pods will be taken into consideration
10466
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10467
pod labels will be ignored. The default value is empty.
10468
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
10469
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
10470
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10471
type: array
10472
items:
10473
type: string
10474
x-kubernetes-list-type: atomic
10475
namespaceSelector:
10476
description: |-
10477
A label query over the set of namespaces that the term applies to.
10478
The term is applied to the union of the namespaces selected by this field
10479
and the ones listed in the namespaces field.
10480
null selector and null or empty namespaces list means "this pod's namespace".
10481
An empty selector ({}) matches all namespaces.
10482
type: object
10483
properties:
10484
matchExpressions:
10485
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10486
type: array
10487
items:
10488
description: |-
10489
A label selector requirement is a selector that contains values, a key, and an operator that
10490
relates the key and values.
10491
type: object
10492
required:
10493
- key
10494
- operator
10495
properties:
10496
key:
10497
description: key is the label key that the selector applies to.
10498
type: string
10499
operator:
10500
description: |-
10501
operator represents a key's relationship to a set of values.
10502
Valid operators are In, NotIn, Exists and DoesNotExist.
10503
type: string
10504
values:
10505
description: |-
10506
values is an array of string values. If the operator is In or NotIn,
10507
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10508
the values array must be empty. This array is replaced during a strategic
10509
merge patch.
10510
type: array
10511
items:
10512
type: string
10513
x-kubernetes-list-type: atomic
10514
x-kubernetes-list-type: atomic
10515
matchLabels:
10516
description: |-
10517
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10518
map is equivalent to an element of matchExpressions, whose key field is "key", the
10519
operator is "In", and the values array contains only "value". The requirements are ANDed.
10520
type: object
10521
additionalProperties:
10522
type: string
10523
x-kubernetes-map-type: atomic
10524
namespaces:
10525
description: |-
10526
namespaces specifies a static list of namespace names that the term applies to.
10527
The term is applied to the union of the namespaces listed in this field
10528
and the ones selected by namespaceSelector.
10529
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
10530
type: array
10531
items:
10532
type: string
10533
x-kubernetes-list-type: atomic
10534
topologyKey:
10535
description: |-
10536
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
10537
the labelSelector in the specified namespaces, where co-located is defined as running on a node
10538
whose value of the label with key topologyKey matches that of any node on which any of the
10539
selected pods is running.
10540
Empty topologyKey is not allowed.
10541
type: string
10542
weight:
10543
description: |-
10544
weight associated with matching the corresponding podAffinityTerm,
10545
in the range 1-100.
10546
type: integer
10547
format: int32
10548
x-kubernetes-list-type: atomic
10549
requiredDuringSchedulingIgnoredDuringExecution:
10550
description: |-
10551
If the affinity requirements specified by this field are not met at
10552
scheduling time, the pod will not be scheduled onto the node.
10553
If the affinity requirements specified by this field cease to be met
10554
at some point during pod execution (e.g. due to a pod label update), the
10555
system may or may not try to eventually evict the pod from its node.
10556
When there are multiple elements, the lists of nodes corresponding to each
10557
podAffinityTerm are intersected, i.e. all terms must be satisfied.
10558
type: array
10559
items:
10560
description: |-
10561
Defines a set of pods (namely those matching the labelSelector
10562
relative to the given namespace(s)) that this pod should be
10563
co-located (affinity) or not co-located (anti-affinity) with,
10564
where co-located is defined as running on a node whose value of
10565
the label with key matches that of any node on which
10566
a pod of the set of pods is running
10567
type: object
10568
required:
10569
- topologyKey
10570
properties:
10571
labelSelector:
10572
description: |-
10573
A label query over a set of resources, in this case pods.
10574
If it's null, this PodAffinityTerm matches with no Pods.
10575
type: object
10576
properties:
10577
matchExpressions:
10578
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10579
type: array
10580
items:
10581
description: |-
10582
A label selector requirement is a selector that contains values, a key, and an operator that
10583
relates the key and values.
10584
type: object
10585
required:
10586
- key
10587
- operator
10588
properties:
10589
key:
10590
description: key is the label key that the selector applies to.
10591
type: string
10592
operator:
10593
description: |-
10594
operator represents a key's relationship to a set of values.
10595
Valid operators are In, NotIn, Exists and DoesNotExist.
10596
type: string
10597
values:
10598
description: |-
10599
values is an array of string values. If the operator is In or NotIn,
10600
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10601
the values array must be empty. This array is replaced during a strategic
10602
merge patch.
10603
type: array
10604
items:
10605
type: string
10606
x-kubernetes-list-type: atomic
10607
x-kubernetes-list-type: atomic
10608
matchLabels:
10609
description: |-
10610
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10611
map is equivalent to an element of matchExpressions, whose key field is "key", the
10612
operator is "In", and the values array contains only "value". The requirements are ANDed.
10613
type: object
10614
additionalProperties:
10615
type: string
10616
x-kubernetes-map-type: atomic
10617
matchLabelKeys:
10618
description: |-
10619
MatchLabelKeys is a set of pod label keys to select which pods will
10620
be taken into consideration. The keys are used to lookup values from the
10621
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
10622
to select the group of existing pods which pods will be taken into consideration
10623
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10624
pod labels will be ignored. The default value is empty.
10625
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
10626
Also, matchLabelKeys cannot be set when labelSelector isn't set.
10627
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10628
type: array
10629
items:
10630
type: string
10631
x-kubernetes-list-type: atomic
10632
mismatchLabelKeys:
10633
description: |-
10634
MismatchLabelKeys is a set of pod label keys to select which pods will
10635
be taken into consideration. The keys are used to lookup values from the
10636
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
10637
to select the group of existing pods which pods will be taken into consideration
10638
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10639
pod labels will be ignored. The default value is empty.
10640
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
10641
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
10642
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10643
type: array
10644
items:
10645
type: string
10646
x-kubernetes-list-type: atomic
10647
namespaceSelector:
10648
description: |-
10649
A label query over the set of namespaces that the term applies to.
10650
The term is applied to the union of the namespaces selected by this field
10651
and the ones listed in the namespaces field.
10652
null selector and null or empty namespaces list means "this pod's namespace".
10653
An empty selector ({}) matches all namespaces.
10654
type: object
10655
properties:
10656
matchExpressions:
10657
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10658
type: array
10659
items:
10660
description: |-
10661
A label selector requirement is a selector that contains values, a key, and an operator that
10662
relates the key and values.
10663
type: object
10664
required:
10665
- key
10666
- operator
10667
properties:
10668
key:
10669
description: key is the label key that the selector applies to.
10670
type: string
10671
operator:
10672
description: |-
10673
operator represents a key's relationship to a set of values.
10674
Valid operators are In, NotIn, Exists and DoesNotExist.
10675
type: string
10676
values:
10677
description: |-
10678
values is an array of string values. If the operator is In or NotIn,
10679
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10680
the values array must be empty. This array is replaced during a strategic
10681
merge patch.
10682
type: array
10683
items:
10684
type: string
10685
x-kubernetes-list-type: atomic
10686
x-kubernetes-list-type: atomic
10687
matchLabels:
10688
description: |-
10689
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10690
map is equivalent to an element of matchExpressions, whose key field is "key", the
10691
operator is "In", and the values array contains only "value". The requirements are ANDed.
10692
type: object
10693
additionalProperties:
10694
type: string
10695
x-kubernetes-map-type: atomic
10696
namespaces:
10697
description: |-
10698
namespaces specifies a static list of namespace names that the term applies to.
10699
The term is applied to the union of the namespaces listed in this field
10700
and the ones selected by namespaceSelector.
10701
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
10702
type: array
10703
items:
10704
type: string
10705
x-kubernetes-list-type: atomic
10706
topologyKey:
10707
description: |-
10708
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
10709
the labelSelector in the specified namespaces, where co-located is defined as running on a node
10710
whose value of the label with key topologyKey matches that of any node on which any of the
10711
selected pods is running.
10712
Empty topologyKey is not allowed.
10713
type: string
10714
x-kubernetes-list-type: atomic
10715
podAntiAffinity:
10716
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
10717
type: object
10718
properties:
10719
preferredDuringSchedulingIgnoredDuringExecution:
10720
description: |-
10721
The scheduler will prefer to schedule pods to nodes that satisfy
10722
the anti-affinity expressions specified by this field, but it may choose
10723
a node that violates one or more of the expressions. The node that is
10724
most preferred is the one with the greatest sum of weights, i.e.
10725
for each node that meets all of the scheduling requirements (resource
10726
request, requiredDuringScheduling anti-affinity expressions, etc.),
10727
compute a sum by iterating through the elements of this field and adding
10728
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
10729
node(s) with the highest sum are the most preferred.
10730
type: array
10731
items:
10732
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10733
type: object
10734
required:
10735
- podAffinityTerm
10736
- weight
10737
properties:
10738
podAffinityTerm:
10739
description: Required. A pod affinity term, associated with the corresponding weight.
10740
type: object
10741
required:
10742
- topologyKey
10743
properties:
10744
labelSelector:
10745
description: |-
10746
A label query over a set of resources, in this case pods.
10747
If it's null, this PodAffinityTerm matches with no Pods.
10748
type: object
10749
properties:
10750
matchExpressions:
10751
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10752
type: array
10753
items:
10754
description: |-
10755
A label selector requirement is a selector that contains values, a key, and an operator that
10756
relates the key and values.
10757
type: object
10758
required:
10759
- key
10760
- operator
10761
properties:
10762
key:
10763
description: key is the label key that the selector applies to.
10764
type: string
10765
operator:
10766
description: |-
10767
operator represents a key's relationship to a set of values.
10768
Valid operators are In, NotIn, Exists and DoesNotExist.
10769
type: string
10770
values:
10771
description: |-
10772
values is an array of string values. If the operator is In or NotIn,
10773
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10774
the values array must be empty. This array is replaced during a strategic
10775
merge patch.
10776
type: array
10777
items:
10778
type: string
10779
x-kubernetes-list-type: atomic
10780
x-kubernetes-list-type: atomic
10781
matchLabels:
10782
description: |-
10783
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10784
map is equivalent to an element of matchExpressions, whose key field is "key", the
10785
operator is "In", and the values array contains only "value". The requirements are ANDed.
10786
type: object
10787
additionalProperties:
10788
type: string
10789
x-kubernetes-map-type: atomic
10790
matchLabelKeys:
10791
description: |-
10792
MatchLabelKeys is a set of pod label keys to select which pods will
10793
be taken into consideration. The keys are used to lookup values from the
10794
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
10795
to select the group of existing pods which pods will be taken into consideration
10796
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10797
pod labels will be ignored. The default value is empty.
10798
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
10799
Also, matchLabelKeys cannot be set when labelSelector isn't set.
10800
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10801
type: array
10802
items:
10803
type: string
10804
x-kubernetes-list-type: atomic
10805
mismatchLabelKeys:
10806
description: |-
10807
MismatchLabelKeys is a set of pod label keys to select which pods will
10808
be taken into consideration. The keys are used to lookup values from the
10809
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
10810
to select the group of existing pods which pods will be taken into consideration
10811
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10812
pod labels will be ignored. The default value is empty.
10813
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
10814
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
10815
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10816
type: array
10817
items:
10818
type: string
10819
x-kubernetes-list-type: atomic
10820
namespaceSelector:
10821
description: |-
10822
A label query over the set of namespaces that the term applies to.
10823
The term is applied to the union of the namespaces selected by this field
10824
and the ones listed in the namespaces field.
10825
null selector and null or empty namespaces list means "this pod's namespace".
10826
An empty selector ({}) matches all namespaces.
10827
type: object
10828
properties:
10829
matchExpressions:
10830
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10831
type: array
10832
items:
10833
description: |-
10834
A label selector requirement is a selector that contains values, a key, and an operator that
10835
relates the key and values.
10836
type: object
10837
required:
10838
- key
10839
- operator
10840
properties:
10841
key:
10842
description: key is the label key that the selector applies to.
10843
type: string
10844
operator:
10845
description: |-
10846
operator represents a key's relationship to a set of values.
10847
Valid operators are In, NotIn, Exists and DoesNotExist.
10848
type: string
10849
values:
10850
description: |-
10851
values is an array of string values. If the operator is In or NotIn,
10852
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10853
the values array must be empty. This array is replaced during a strategic
10854
merge patch.
10855
type: array
10856
items:
10857
type: string
10858
x-kubernetes-list-type: atomic
10859
x-kubernetes-list-type: atomic
10860
matchLabels:
10861
description: |-
10862
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10863
map is equivalent to an element of matchExpressions, whose key field is "key", the
10864
operator is "In", and the values array contains only "value". The requirements are ANDed.
10865
type: object
10866
additionalProperties:
10867
type: string
10868
x-kubernetes-map-type: atomic
10869
namespaces:
10870
description: |-
10871
namespaces specifies a static list of namespace names that the term applies to.
10872
The term is applied to the union of the namespaces listed in this field
10873
and the ones selected by namespaceSelector.
10874
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
10875
type: array
10876
items:
10877
type: string
10878
x-kubernetes-list-type: atomic
10879
topologyKey:
10880
description: |-
10881
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
10882
the labelSelector in the specified namespaces, where co-located is defined as running on a node
10883
whose value of the label with key topologyKey matches that of any node on which any of the
10884
selected pods is running.
10885
Empty topologyKey is not allowed.
10886
type: string
10887
weight:
10888
description: |-
10889
weight associated with matching the corresponding podAffinityTerm,
10890
in the range 1-100.
10891
type: integer
10892
format: int32
10893
x-kubernetes-list-type: atomic
10894
requiredDuringSchedulingIgnoredDuringExecution:
10895
description: |-
10896
If the anti-affinity requirements specified by this field are not met at
10897
scheduling time, the pod will not be scheduled onto the node.
10898
If the anti-affinity requirements specified by this field cease to be met
10899
at some point during pod execution (e.g. due to a pod label update), the
10900
system may or may not try to eventually evict the pod from its node.
10901
When there are multiple elements, the lists of nodes corresponding to each
10902
podAffinityTerm are intersected, i.e. all terms must be satisfied.
10903
type: array
10904
items:
10905
description: |-
10906
Defines a set of pods (namely those matching the labelSelector
10907
relative to the given namespace(s)) that this pod should be
10908
co-located (affinity) or not co-located (anti-affinity) with,
10909
where co-located is defined as running on a node whose value of
10910
the label with key matches that of any node on which
10911
a pod of the set of pods is running
10912
type: object
10913
required:
10914
- topologyKey
10915
properties:
10916
labelSelector:
10917
description: |-
10918
A label query over a set of resources, in this case pods.
10919
If it's null, this PodAffinityTerm matches with no Pods.
10920
type: object
10921
properties:
10922
matchExpressions:
10923
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10924
type: array
10925
items:
10926
description: |-
10927
A label selector requirement is a selector that contains values, a key, and an operator that
10928
relates the key and values.
10929
type: object
10930
required:
10931
- key
10932
- operator
10933
properties:
10934
key:
10935
description: key is the label key that the selector applies to.
10936
type: string
10937
operator:
10938
description: |-
10939
operator represents a key's relationship to a set of values.
10940
Valid operators are In, NotIn, Exists and DoesNotExist.
10941
type: string
10942
values:
10943
description: |-
10944
values is an array of string values. If the operator is In or NotIn,
10945
the values array must be non-empty. If the operator is Exists or DoesNotExist,
10946
the values array must be empty. This array is replaced during a strategic
10947
merge patch.
10948
type: array
10949
items:
10950
type: string
10951
x-kubernetes-list-type: atomic
10952
x-kubernetes-list-type: atomic
10953
matchLabels:
10954
description: |-
10955
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
10956
map is equivalent to an element of matchExpressions, whose key field is "key", the
10957
operator is "In", and the values array contains only "value". The requirements are ANDed.
10958
type: object
10959
additionalProperties:
10960
type: string
10961
x-kubernetes-map-type: atomic
10962
matchLabelKeys:
10963
description: |-
10964
MatchLabelKeys is a set of pod label keys to select which pods will
10965
be taken into consideration. The keys are used to lookup values from the
10966
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
10967
to select the group of existing pods which pods will be taken into consideration
10968
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10969
pod labels will be ignored. The default value is empty.
10970
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
10971
Also, matchLabelKeys cannot be set when labelSelector isn't set.
10972
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10973
type: array
10974
items:
10975
type: string
10976
x-kubernetes-list-type: atomic
10977
mismatchLabelKeys:
10978
description: |-
10979
MismatchLabelKeys is a set of pod label keys to select which pods will
10980
be taken into consideration. The keys are used to lookup values from the
10981
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
10982
to select the group of existing pods which pods will be taken into consideration
10983
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
10984
pod labels will be ignored. The default value is empty.
10985
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
10986
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
10987
This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
10988
type: array
10989
items:
10990
type: string
10991
x-kubernetes-list-type: atomic
10992
namespaceSelector:
10993
description: |-
10994
A label query over the set of namespaces that the term applies to.
10995
The term is applied to the union of the namespaces selected by this field
10996
and the ones listed in the namespaces field.
10997
null selector and null or empty namespaces list means "this pod's namespace".
10998
An empty selector ({}) matches all namespaces.
10999
type: object
11000
properties:
11001
matchExpressions:
11002
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11003
type: array
11004
items:
11005
description: |-
11006
A label selector requirement is a selector that contains values, a key, and an operator that
11007
relates the key and values.
11008
type: object
11009
required:
11010
- key
11011
- operator
11012
properties:
11013
key:
11014
description: key is the label key that the selector applies to.
11015
type: string
11016
operator:
11017
description: |-
11018
operator represents a key's relationship to a set of values.
11019
Valid operators are In, NotIn, Exists and DoesNotExist.
11020
type: string
11021
values:
11022
description: |-
11023
values is an array of string values. If the operator is In or NotIn,
11024
the values array must be non-empty. If the operator is Exists or DoesNotExist,
11025
the values array must be empty. This array is replaced during a strategic
11026
merge patch.
11027
type: array
11028
items:
11029
type: string
11030
x-kubernetes-list-type: atomic
11031
x-kubernetes-list-type: atomic
11032
matchLabels:
11033
description: |-
11034
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
11035
map is equivalent to an element of matchExpressions, whose key field is "key", the
11036
operator is "In", and the values array contains only "value". The requirements are ANDed.
11037
type: object
11038
additionalProperties:
11039
type: string
11040
x-kubernetes-map-type: atomic
11041
namespaces:
11042
description: |-
11043
namespaces specifies a static list of namespace names that the term applies to.
11044
The term is applied to the union of the namespaces listed in this field
11045
and the ones selected by namespaceSelector.
11046
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
11047
type: array
11048
items:
11049
type: string
11050
x-kubernetes-list-type: atomic
11051
topologyKey:
11052
description: |-
11053
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
11054
the labelSelector in the specified namespaces, where co-located is defined as running on a node
11055
whose value of the label with key topologyKey matches that of any node on which any of the
11056
selected pods is running.
11057
Empty topologyKey is not allowed.
11058
type: string
11059
x-kubernetes-list-type: atomic
11060
imagePullSecrets:
11061
description: If specified, the pod's imagePullSecrets
11062
type: array
11063
items:
11064
description: |-
11065
LocalObjectReference contains enough information to let you locate the
11066
referenced object inside the same namespace.
11067
type: object
11068
properties:
11069
name:
11070
description: |-
11071
Name of the referent.
11072
This field is effectively required, but due to backwards compatibility is
11073
allowed to be empty. Instances of this type with an empty value here are
11074
almost certainly wrong.
11075
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11076
type: string
11077
default: ""
11078
x-kubernetes-map-type: atomic
11079
nodeSelector:
11080
description: |-
11081
NodeSelector is a selector which must be true for the pod to fit on a node.
11082
Selector which must match a node's labels for the pod to be scheduled on that node.
11083
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
11084
type: object
11085
additionalProperties:
11086
type: string
11087
priorityClassName:
11088
description: If specified, the pod's priorityClassName.
11089
type: string
11090
securityContext:
11091
description: If specified, the pod's security context
11092
type: object
11093
properties:
11094
fsGroup:
11095
description: |-
11096
A special supplemental group that applies to all containers in a pod.
11097
Some volume types allow the Kubelet to change the ownership of that volume
11098
to be owned by the pod:
11099
11100
1. The owning GID will be the FSGroup
11101
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
11102
3. The permission bits are OR'd with rw-rw----
11103
11104
If unset, the Kubelet will not modify the ownership and permissions of any volume.
11105
Note that this field cannot be set when spec.os.name is windows.
11106
type: integer
11107
format: int64
11108
fsGroupChangePolicy:
11109
description: |-
11110
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
11111
before being exposed inside Pod. This field will only apply to
11112
volume types which support fsGroup based ownership(and permissions).
11113
It will have no effect on ephemeral volume types such as: secret, configmaps
11114
and emptydir.
11115
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
11116
Note that this field cannot be set when spec.os.name is windows.
11117
type: string
11118
runAsGroup:
11119
description: |-
11120
The GID to run the entrypoint of the container process.
11121
Uses runtime default if unset.
11122
May also be set in SecurityContext. If set in both SecurityContext and
11123
PodSecurityContext, the value specified in SecurityContext takes precedence
11124
for that container.
11125
Note that this field cannot be set when spec.os.name is windows.
11126
type: integer
11127
format: int64
11128
runAsNonRoot:
11129
description: |-
11130
Indicates that the container must run as a non-root user.
11131
If true, the Kubelet will validate the image at runtime to ensure that it
11132
does not run as UID 0 (root) and fail to start the container if it does.
11133
If unset or false, no such validation will be performed.
11134
May also be set in SecurityContext. If set in both SecurityContext and
11135
PodSecurityContext, the value specified in SecurityContext takes precedence.
11136
type: boolean
11137
runAsUser:
11138
description: |-
11139
The UID to run the entrypoint of the container process.
11140
Defaults to user specified in image metadata if unspecified.
11141
May also be set in SecurityContext. If set in both SecurityContext and
11142
PodSecurityContext, the value specified in SecurityContext takes precedence
11143
for that container.
11144
Note that this field cannot be set when spec.os.name is windows.
11145
type: integer
11146
format: int64
11147
seLinuxOptions:
11148
description: |-
11149
The SELinux context to be applied to all containers.
11150
If unspecified, the container runtime will allocate a random SELinux context for each
11151
container. May also be set in SecurityContext. If set in
11152
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
11153
takes precedence for that container.
11154
Note that this field cannot be set when spec.os.name is windows.
11155
type: object
11156
properties:
11157
level:
11158
description: Level is SELinux level label that applies to the container.
11159
type: string
11160
role:
11161
description: Role is a SELinux role label that applies to the container.
11162
type: string
11163
type:
11164
description: Type is a SELinux type label that applies to the container.
11165
type: string
11166
user:
11167
description: User is a SELinux user label that applies to the container.
11168
type: string
11169
seccompProfile:
11170
description: |-
11171
The seccomp options to use by the containers in this pod.
11172
Note that this field cannot be set when spec.os.name is windows.
11173
type: object
11174
required:
11175
- type
11176
properties:
11177
localhostProfile:
11178
description: |-
11179
localhostProfile indicates a profile defined in a file on the node should be used.
11180
The profile must be preconfigured on the node to work.
11181
Must be a descending path, relative to the kubelet's configured seccomp profile location.
11182
Must be set if type is "Localhost". Must NOT be set for any other type.
11183
type: string
11184
type:
11185
description: |-
11186
type indicates which kind of seccomp profile will be applied.
11187
Valid options are:
11188
11189
Localhost - a profile defined in a file on the node should be used.
11190
RuntimeDefault - the container runtime default profile should be used.
11191
Unconfined - no profile should be applied.
11192
type: string
11193
supplementalGroups:
11194
description: |-
11195
A list of groups applied to the first process run in each container, in addition
11196
to the container's primary GID, the fsGroup (if specified), and group memberships
11197
defined in the container image for the uid of the container process. If unspecified,
11198
no additional groups are added to any container. Note that group memberships
11199
defined in the container image for the uid of the container process are still effective,
11200
even if they are not included in this list.
11201
Note that this field cannot be set when spec.os.name is windows.
11202
type: array
11203
items:
11204
type: integer
11205
format: int64
11206
sysctls:
11207
description: |-
11208
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
11209
sysctls (by the container runtime) might fail to launch.
11210
Note that this field cannot be set when spec.os.name is windows.
11211
type: array
11212
items:
11213
description: Sysctl defines a kernel parameter to be set
11214
type: object
11215
required:
11216
- name
11217
- value
11218
properties:
11219
name:
11220
description: Name of a property to set
11221
type: string
11222
value:
11223
description: Value of a property to set
11224
type: string
11225
serviceAccountName:
11226
description: If specified, the pod's service account
11227
type: string
11228
tolerations:
11229
description: If specified, the pod's tolerations.
11230
type: array
11231
items:
11232
description: |-
11233
The pod this Toleration is attached to tolerates any taint that matches
11234
the triple using the matching operator .
11235
type: object
11236
properties:
11237
effect:
11238
description: |-
11239
Effect indicates the taint effect to match. Empty means match all taint effects.
11240
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
11241
type: string
11242
key:
11243
description: |-
11244
Key is the taint key that the toleration applies to. Empty means match all taint keys.
11245
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
11246
type: string
11247
operator:
11248
description: |-
11249
Operator represents a key's relationship to the value.
11250
Valid operators are Exists and Equal. Defaults to Equal.
11251
Exists is equivalent to wildcard for value, so that a pod can
11252
tolerate all taints of a particular category.
11253
type: string
11254
tolerationSeconds:
11255
description: |-
11256
TolerationSeconds represents the period of time the toleration (which must be
11257
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
11258
it is not set, which means tolerate the taint forever (do not evict). Zero and
11259
negative values will be treated as 0 (evict immediately) by the system.
11260
type: integer
11261
format: int64
11262
value:
11263
description: |-
11264
Value is the taint value the toleration matches to.
11265
If the operator is Exists, the value should be empty, otherwise just a regular string.
11266
type: string
11267
serviceType:
11268
description: |-
11269
Optional service type for Kubernetes solver service. Supported values
11270
are NodePort or ClusterIP. If unset, defaults to NodePort.
11271
type: string
11272
selector:
11273
description: |-
11274
Selector selects a set of DNSNames on the Certificate resource that
11275
should be solved using this challenge solver.
11276
If not specified, the solver will be treated as the 'default' solver
11277
with the lowest priority, i.e. if any other solver has a more specific
11278
match, it will be used instead.
11279
type: object
11280
properties:
11281
dnsNames:
11282
description: |-
11283
List of DNSNames that this solver will be used to solve.
11284
If specified and a match is found, a dnsNames selector will take
11285
precedence over a dnsZones selector.
11286
If multiple solvers match with the same dnsNames value, the solver
11287
with the most matching labels in matchLabels will be selected.
11288
If neither has more matches, the solver defined earlier in the list
11289
will be selected.
11290
type: array
11291
items:
11292
type: string
11293
dnsZones:
11294
description: |-
11295
List of DNSZones that this solver will be used to solve.
11296
The most specific DNS zone match specified here will take precedence
11297
over other DNS zone matches, so a solver specifying sys.example.com
11298
will be selected over one specifying example.com for the domain
11299
www.sys.example.com.
11300
If multiple solvers match with the same dnsZones value, the solver
11301
with the most matching labels in matchLabels will be selected.
11302
If neither has more matches, the solver defined earlier in the list
11303
will be selected.
11304
type: array
11305
items:
11306
type: string
11307
matchLabels:
11308
description: |-
11309
A label selector that is used to refine the set of certificate's that
11310
this challenge solver will apply to.
11311
type: object
11312
additionalProperties:
11313
type: string
11314
ca:
11315
description: |-
11316
CA configures this issuer to sign certificates using a signing CA keypair
11317
stored in a Secret resource.
11318
This is used to build internal PKIs that are managed by cert-manager.
11319
type: object
11320
required:
11321
- secretName
11322
properties:
11323
crlDistributionPoints:
11324
description: |-
11325
The CRL distribution points is an X.509 v3 certificate extension which identifies
11326
the location of the CRL from which the revocation of this certificate can be checked.
11327
If not set, certificates will be issued without distribution points set.
11328
type: array
11329
items:
11330
type: string
11331
issuingCertificateURLs:
11332
description: |-
11333
IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
11334
it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
11335
As an example, such a URL might be "http://ca.domain.com/ca.crt".
11336
type: array
11337
items:
11338
type: string
11339
ocspServers:
11340
description: |-
11341
The OCSP server list is an X.509 v3 extension that defines a list of
11342
URLs of OCSP responders. The OCSP responders can be queried for the
11343
revocation status of an issued certificate. If not set, the
11344
certificate will be issued with no OCSP servers set. For example, an
11345
OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
11346
type: array
11347
items:
11348
type: string
11349
secretName:
11350
description: |-
11351
SecretName is the name of the secret used to sign Certificates issued
11352
by this Issuer.
11353
type: string
11354
selfSigned:
11355
description: |-
11356
SelfSigned configures this issuer to 'self sign' certificates using the
11357
private key used to create the CertificateRequest object.
11358
type: object
11359
properties:
11360
crlDistributionPoints:
11361
description: |-
11362
The CRL distribution points is an X.509 v3 certificate extension which identifies
11363
the location of the CRL from which the revocation of this certificate can be checked.
11364
If not set certificate will be issued without CDP. Values are strings.
11365
type: array
11366
items:
11367
type: string
11368
vault:
11369
description: |-
11370
Vault configures this issuer to sign certificates using a HashiCorp Vault
11371
PKI backend.
11372
type: object
11373
required:
11374
- auth
11375
- path
11376
- server
11377
properties:
11378
auth:
11379
description: Auth configures how cert-manager authenticates with the Vault server.
11380
type: object
11381
properties:
11382
appRole:
11383
description: |-
11384
AppRole authenticates with Vault using the App Role auth mechanism,
11385
with the role and secret stored in a Kubernetes Secret resource.
11386
type: object
11387
required:
11388
- path
11389
- roleId
11390
- secretRef
11391
properties:
11392
path:
11393
description: |-
11394
Path where the App Role authentication backend is mounted in Vault, e.g:
11395
"approle"
11396
type: string
11397
roleId:
11398
description: |-
11399
RoleID configured in the App Role authentication backend when setting
11400
up the authentication backend in Vault.
11401
type: string
11402
secretRef:
11403
description: |-
11404
Reference to a key in a Secret that contains the App Role secret used
11405
to authenticate with Vault.
11406
The `key` field must be specified and denotes which entry within the Secret
11407
resource is used as the app role secret.
11408
type: object
11409
required:
11410
- name
11411
properties:
11412
key:
11413
description: |-
11414
The key of the entry in the Secret resource's `data` field to be used.
11415
Some instances of this field may be defaulted, in others it may be
11416
required.
11417
type: string
11418
name:
11419
description: |-
11420
Name of the resource being referred to.
11421
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11422
type: string
11423
clientCertificate:
11424
description: |-
11425
ClientCertificate authenticates with Vault by presenting a client
11426
certificate during the request's TLS handshake.
11427
Works only when using HTTPS protocol.
11428
type: object
11429
properties:
11430
mountPath:
11431
description: |-
11432
The Vault mountPath here is the mount path to use when authenticating with
11433
Vault. For example, setting a value to `/v1/auth/foo`, will use the path
11434
`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
11435
default value "/v1/auth/cert" will be used.
11436
type: string
11437
name:
11438
description: |-
11439
Name of the certificate role to authenticate against.
11440
If not set, matching any certificate role, if available.
11441
type: string
11442
secretName:
11443
description: |-
11444
Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
11445
tls.crt and tls.key) used to authenticate to Vault using TLS client
11446
authentication.
11447
type: string
11448
kubernetes:
11449
description: |-
11450
Kubernetes authenticates with Vault by passing the ServiceAccount
11451
token stored in the named Secret resource to the Vault server.
11452
type: object
11453
required:
11454
- role
11455
properties:
11456
mountPath:
11457
description: |-
11458
The Vault mountPath here is the mount path to use when authenticating with
11459
Vault. For example, setting a value to `/v1/auth/foo`, will use the path
11460
`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
11461
default value "/v1/auth/kubernetes" will be used.
11462
type: string
11463
role:
11464
description: |-
11465
A required field containing the Vault Role to assume. A Role binds a
11466
Kubernetes ServiceAccount with a set of Vault policies.
11467
type: string
11468
secretRef:
11469
description: |-
11470
The required Secret field containing a Kubernetes ServiceAccount JWT used
11471
for authenticating with Vault. Use of 'ambient credentials' is not
11472
supported.
11473
type: object
11474
required:
11475
- name
11476
properties:
11477
key:
11478
description: |-
11479
The key of the entry in the Secret resource's `data` field to be used.
11480
Some instances of this field may be defaulted, in others it may be
11481
required.
11482
type: string
11483
name:
11484
description: |-
11485
Name of the resource being referred to.
11486
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11487
type: string
11488
serviceAccountRef:
11489
description: |-
11490
A reference to a service account that will be used to request a bound
11491
token (also known as "projected token"). Compared to using "secretRef",
11492
using this field means that you don't rely on statically bound tokens. To
11493
use this field, you must configure an RBAC rule to let cert-manager
11494
request a token.
11495
type: object
11496
required:
11497
- name
11498
properties:
11499
audiences:
11500
description: |-
11501
TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
11502
consisting of the issuer's namespace and name is always included.
11503
type: array
11504
items:
11505
type: string
11506
name:
11507
description: Name of the ServiceAccount used to request a token.
11508
type: string
11509
tokenSecretRef:
11510
description: TokenSecretRef authenticates with Vault by presenting a token.
11511
type: object
11512
required:
11513
- name
11514
properties:
11515
key:
11516
description: |-
11517
The key of the entry in the Secret resource's `data` field to be used.
11518
Some instances of this field may be defaulted, in others it may be
11519
required.
11520
type: string
11521
name:
11522
description: |-
11523
Name of the resource being referred to.
11524
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11525
type: string
11526
caBundle:
11527
description: |-
11528
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
11529
chain presented by Vault. Only used if using HTTPS to connect to Vault and
11530
ignored for HTTP connections.
11531
Mutually exclusive with CABundleSecretRef.
11532
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
11533
the cert-manager controller container is used to validate the TLS connection.
11534
type: string
11535
format: byte
11536
caBundleSecretRef:
11537
description: |-
11538
Reference to a Secret containing a bundle of PEM-encoded CAs to use when
11539
verifying the certificate chain presented by Vault when using HTTPS.
11540
Mutually exclusive with CABundle.
11541
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
11542
the cert-manager controller container is used to validate the TLS connection.
11543
If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
11544
type: object
11545
required:
11546
- name
11547
properties:
11548
key:
11549
description: |-
11550
The key of the entry in the Secret resource's `data` field to be used.
11551
Some instances of this field may be defaulted, in others it may be
11552
required.
11553
type: string
11554
name:
11555
description: |-
11556
Name of the resource being referred to.
11557
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11558
type: string
11559
clientCertSecretRef:
11560
description: |-
11561
Reference to a Secret containing a PEM-encoded Client Certificate to use when the
11562
Vault server requires mTLS.
11563
type: object
11564
required:
11565
- name
11566
properties:
11567
key:
11568
description: |-
11569
The key of the entry in the Secret resource's `data` field to be used.
11570
Some instances of this field may be defaulted, in others it may be
11571
required.
11572
type: string
11573
name:
11574
description: |-
11575
Name of the resource being referred to.
11576
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11577
type: string
11578
clientKeySecretRef:
11579
description: |-
11580
Reference to a Secret containing a PEM-encoded Client Private Key to use when the
11581
Vault server requires mTLS.
11582
type: object
11583
required:
11584
- name
11585
properties:
11586
key:
11587
description: |-
11588
The key of the entry in the Secret resource's `data` field to be used.
11589
Some instances of this field may be defaulted, in others it may be
11590
required.
11591
type: string
11592
name:
11593
description: |-
11594
Name of the resource being referred to.
11595
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11596
type: string
11597
namespace:
11598
description: |-
11599
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
11600
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
11601
type: string
11602
path:
11603
description: |-
11604
Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
11605
"my_pki_mount/sign/my-role-name".
11606
type: string
11607
server:
11608
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
11609
type: string
11610
venafi:
11611
description: |-
11612
Venafi configures this issuer to sign certificates using a Venafi TPP
11613
or Venafi Cloud policy zone.
11614
type: object
11615
required:
11616
- zone
11617
properties:
11618
cloud:
11619
description: |-
11620
Cloud specifies the Venafi cloud configuration settings.
11621
Only one of TPP or Cloud may be specified.
11622
type: object
11623
required:
11624
- apiTokenSecretRef
11625
properties:
11626
apiTokenSecretRef:
11627
description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
11628
type: object
11629
required:
11630
- name
11631
properties:
11632
key:
11633
description: |-
11634
The key of the entry in the Secret resource's `data` field to be used.
11635
Some instances of this field may be defaulted, in others it may be
11636
required.
11637
type: string
11638
name:
11639
description: |-
11640
Name of the resource being referred to.
11641
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11642
type: string
11643
url:
11644
description: |-
11645
URL is the base URL for Venafi Cloud.
11646
Defaults to "https://api.venafi.cloud/v1".
11647
type: string
11648
tpp:
11649
description: |-
11650
TPP specifies Trust Protection Platform configuration settings.
11651
Only one of TPP or Cloud may be specified.
11652
type: object
11653
required:
11654
- credentialsRef
11655
- url
11656
properties:
11657
caBundle:
11658
description: |-
11659
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
11660
chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
11661
If undefined, the certificate bundle in the cert-manager controller container
11662
is used to validate the chain.
11663
type: string
11664
format: byte
11665
caBundleSecretRef:
11666
description: |-
11667
Reference to a Secret containing a base64-encoded bundle of PEM CAs
11668
which will be used to validate the certificate chain presented by the TPP server.
11669
Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
11670
If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
11671
the cert-manager controller container is used to validate the TLS connection.
11672
type: object
11673
required:
11674
- name
11675
properties:
11676
key:
11677
description: |-
11678
The key of the entry in the Secret resource's `data` field to be used.
11679
Some instances of this field may be defaulted, in others it may be
11680
required.
11681
type: string
11682
name:
11683
description: |-
11684
Name of the resource being referred to.
11685
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11686
type: string
11687
credentialsRef:
11688
description: |-
11689
CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
11690
The secret must contain the key 'access-token' for the Access Token Authentication,
11691
or two keys, 'username' and 'password' for the API Keys Authentication.
11692
type: object
11693
required:
11694
- name
11695
properties:
11696
name:
11697
description: |-
11698
Name of the resource being referred to.
11699
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
11700
type: string
11701
url:
11702
description: |-
11703
URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
11704
for example: "https://tpp.example.com/vedsdk".
11705
type: string
11706
zone:
11707
description: |-
11708
Zone is the Venafi Policy Zone to use for this issuer.
11709
All requests made to the Venafi platform will be restricted by the named
11710
zone policy.
11711
This field is required.
11712
type: string
11713
status:
11714
description: Status of the Issuer. This is set and managed automatically.
11715
type: object
11716
properties:
11717
acme:
11718
description: |-
11719
ACME specific status options.
11720
This field should only be set if the Issuer is configured to use an ACME
11721
server to issue certificates.
11722
type: object
11723
properties:
11724
lastPrivateKeyHash:
11725
description: |-
11726
LastPrivateKeyHash is a hash of the private key associated with the latest
11727
registered ACME account, in order to track changes made to registered account
11728
associated with the Issuer
11729
type: string
11730
lastRegisteredEmail:
11731
description: |-
11732
LastRegisteredEmail is the email associated with the latest registered
11733
ACME account, in order to track changes made to registered account
11734
associated with the Issuer
11735
type: string
11736
uri:
11737
description: |-
11738
URI is the unique account identifier, which can also be used to retrieve
11739
account details from the CA
11740
type: string
11741
conditions:
11742
description: |-
11743
List of status conditions to indicate the status of a CertificateRequest.
11744
Known condition types are `Ready`.
11745
type: array
11746
items:
11747
description: IssuerCondition contains condition information for an Issuer.
11748
type: object
11749
required:
11750
- status
11751
- type
11752
properties:
11753
lastTransitionTime:
11754
description: |-
11755
LastTransitionTime is the timestamp corresponding to the last status
11756
change of this condition.
11757
type: string
11758
format: date-time
11759
message:
11760
description: |-
11761
Message is a human readable description of the details of the last
11762
transition, complementing reason.
11763
type: string
11764
observedGeneration:
11765
description: |-
11766
If set, this represents the .metadata.generation that the condition was
11767
set based upon.
11768
For instance, if .metadata.generation is currently 12, but the
11769
.status.condition[x].observedGeneration is 9, the condition is out of date
11770
with respect to the current state of the Issuer.
11771
type: integer
11772
format: int64
11773
reason:
11774
description: |-
11775
Reason is a brief machine readable explanation for the condition's last
11776
transition.
11777
type: string
11778
status:
11779
description: Status of the condition, one of (`True`, `False`, `Unknown`).
11780
type: string
11781
enum:
11782
- "True"
11783
- "False"
11784
- Unknown
11785
type:
11786
description: Type of the condition, known values are (`Ready`).
11787
type: string
11788
x-kubernetes-list-map-keys:
11789
- type
11790
x-kubernetes-list-type: map
11791
served: true
11792
storage: true
11793
11794
# END crd
11795
---
11796
# Source: cert-manager/templates/crds.yaml
11797
# START crd
11798
apiVersion: apiextensions.k8s.io/v1
11799
kind: CustomResourceDefinition
11800
metadata:
11801
name: orders.acme.cert-manager.io
11802
# START annotations
11803
annotations:
11804
helm.sh/resource-policy: keep
11805
# END annotations
11806
labels:
11807
app: 'cert-manager'
11808
app.kubernetes.io/name: 'cert-manager'
11809
app.kubernetes.io/instance: 'cert-manager'
11810
app.kubernetes.io/component: "crds"
11811
# Generated labels
11812
app.kubernetes.io/version: "v1.17.0"
11813
spec:
11814
group: acme.cert-manager.io
11815
names:
11816
kind: Order
11817
listKind: OrderList
11818
plural: orders
11819
singular: order
11820
categories:
11821
- cert-manager
11822
- cert-manager-acme
11823
scope: Namespaced
11824
versions:
11825
- name: v1
11826
subresources:
11827
status: {}
11828
additionalPrinterColumns:
11829
- jsonPath: .status.state
11830
name: State
11831
type: string
11832
- jsonPath: .spec.issuerRef.name
11833
name: Issuer
11834
priority: 1
11835
type: string
11836
- jsonPath: .status.reason
11837
name: Reason
11838
priority: 1
11839
type: string
11840
- jsonPath: .metadata.creationTimestamp
11841
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
11842
name: Age
11843
type: date
11844
schema:
11845
openAPIV3Schema:
11846
description: Order is a type to represent an Order with an ACME server
11847
type: object
11848
required:
11849
- metadata
11850
- spec
11851
properties:
11852
apiVersion:
11853
description: |-
11854
APIVersion defines the versioned schema of this representation of an object.
11855
Servers should convert recognized schemas to the latest internal value, and
11856
may reject unrecognized values.
11857
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
11858
type: string
11859
kind:
11860
description: |-
11861
Kind is a string value representing the REST resource this object represents.
11862
Servers may infer this from the endpoint the client submits requests to.
11863
Cannot be updated.
11864
In CamelCase.
11865
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
11866
type: string
11867
metadata:
11868
type: object
11869
spec:
11870
type: object
11871
required:
11872
- issuerRef
11873
- request
11874
properties:
11875
commonName:
11876
description: |-
11877
CommonName is the common name as specified on the DER encoded CSR.
11878
If specified, this value must also be present in `dnsNames` or `ipAddresses`.
11879
This field must match the corresponding field on the DER encoded CSR.
11880
type: string
11881
dnsNames:
11882
description: |-
11883
DNSNames is a list of DNS names that should be included as part of the Order
11884
validation process.
11885
This field must match the corresponding field on the DER encoded CSR.
11886
type: array
11887
items:
11888
type: string
11889
duration:
11890
description: |-
11891
Duration is the duration for the not after date for the requested certificate.
11892
this is set on order creation as pe the ACME spec.
11893
type: string
11894
ipAddresses:
11895
description: |-
11896
IPAddresses is a list of IP addresses that should be included as part of the Order
11897
validation process.
11898
This field must match the corresponding field on the DER encoded CSR.
11899
type: array
11900
items:
11901
type: string
11902
issuerRef:
11903
description: |-
11904
IssuerRef references a properly configured ACME-type Issuer which should
11905
be used to create this Order.
11906
If the Issuer does not exist, processing will be retried.
11907
If the Issuer is not an 'ACME' Issuer, an error will be returned and the
11908
Order will be marked as failed.
11909
type: object
11910
required:
11911
- name
11912
properties:
11913
group:
11914
description: Group of the resource being referred to.
11915
type: string
11916
kind:
11917
description: Kind of the resource being referred to.
11918
type: string
11919
name:
11920
description: Name of the resource being referred to.
11921
type: string
11922
request:
11923
description: |-
11924
Certificate signing request bytes in DER encoding.
11925
This will be used when finalizing the order.
11926
This field must be set on the order.
11927
type: string
11928
format: byte
11929
status:
11930
type: object
11931
properties:
11932
authorizations:
11933
description: |-
11934
Authorizations contains data returned from the ACME server on what
11935
authorizations must be completed in order to validate the DNS names
11936
specified on the Order.
11937
type: array
11938
items:
11939
description: |-
11940
ACMEAuthorization contains data returned from the ACME server on an
11941
authorization that must be completed in order validate a DNS name on an ACME
11942
Order resource.
11943
type: object
11944
required:
11945
- url
11946
properties:
11947
challenges:
11948
description: |-
11949
Challenges specifies the challenge types offered by the ACME server.
11950
One of these challenge types will be selected when validating the DNS
11951
name and an appropriate Challenge resource will be created to perform
11952
the ACME challenge process.
11953
type: array
11954
items:
11955
description: |-
11956
Challenge specifies a challenge offered by the ACME server for an Order.
11957
An appropriate Challenge resource can be created to perform the ACME
11958
challenge process.
11959
type: object
11960
required:
11961
- token
11962
- type
11963
- url
11964
properties:
11965
token:
11966
description: |-
11967
Token is the token that must be presented for this challenge.
11968
This is used to compute the 'key' that must also be presented.
11969
type: string
11970
type:
11971
description: |-
11972
Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
11973
'tls-sni-01', etc.
11974
This is the raw value retrieved from the ACME server.
11975
Only 'http-01' and 'dns-01' are supported by cert-manager, other values
11976
will be ignored.
11977
type: string
11978
url:
11979
description: |-
11980
URL is the URL of this challenge. It can be used to retrieve additional
11981
metadata about the Challenge from the ACME server.
11982
type: string
11983
identifier:
11984
description: Identifier is the DNS name to be validated as part of this authorization
11985
type: string
11986
initialState:
11987
description: |-
11988
InitialState is the initial state of the ACME authorization when first
11989
fetched from the ACME server.
11990
If an Authorization is already 'valid', the Order controller will not
11991
create a Challenge resource for the authorization. This will occur when
11992
working with an ACME server that enables 'authz reuse' (such as Let's
11993
Encrypt's production endpoint).
11994
If not set and 'identifier' is set, the state is assumed to be pending
11995
and a Challenge will be created.
11996
type: string
11997
enum:
11998
- valid
11999
- ready
12000
- pending
12001
- processing
12002
- invalid
12003
- expired
12004
- errored
12005
url:
12006
description: URL is the URL of the Authorization that must be completed
12007
type: string
12008
wildcard:
12009
description: |-
12010
Wildcard will be true if this authorization is for a wildcard DNS name.
12011
If this is true, the identifier will be the *non-wildcard* version of
12012
the DNS name.
12013
For example, if '*.example.com' is the DNS name being validated, this
12014
field will be 'true' and the 'identifier' field will be 'example.com'.
12015
type: boolean
12016
certificate:
12017
description: |-
12018
Certificate is a copy of the PEM encoded certificate for this Order.
12019
This field will be populated after the order has been successfully
12020
finalized with the ACME server, and the order has transitioned to the
12021
'valid' state.
12022
type: string
12023
format: byte
12024
failureTime:
12025
description: |-
12026
FailureTime stores the time that this order failed.
12027
This is used to influence garbage collection and back-off.
12028
type: string
12029
format: date-time
12030
finalizeURL:
12031
description: |-
12032
FinalizeURL of the Order.
12033
This is used to obtain certificates for this order once it has been completed.
12034
type: string
12035
reason:
12036
description: |-
12037
Reason optionally provides more information about a why the order is in
12038
the current state.
12039
type: string
12040
state:
12041
description: |-
12042
State contains the current state of this Order resource.
12043
States 'success' and 'expired' are 'final'
12044
type: string
12045
enum:
12046
- valid
12047
- ready
12048
- pending
12049
- processing
12050
- invalid
12051
- expired
12052
- errored
12053
url:
12054
description: |-
12055
URL of the Order.
12056
This will initially be empty when the resource is first created.
12057
The Order controller will populate this field when the Order is first processed.
12058
This field will be immutable after it is initially set.
12059
type: string
12060
served: true
12061
storage: true
12062
12063
# END crd
12064
12065
---
12066
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
12067
apiVersion: v1
12068
kind: ServiceAccount
12069
automountServiceAccountToken: true
12070
metadata:
12071
name: cert-manager-cainjector
12072
namespace: cert-manager
12073
labels:
12074
app: cainjector
12075
app.kubernetes.io/name: cainjector
12076
app.kubernetes.io/instance: cert-manager
12077
app.kubernetes.io/component: "cainjector"
12078
app.kubernetes.io/version: "v1.17.0"
12079
---
12080
# Source: cert-manager/templates/serviceaccount.yaml
12081
apiVersion: v1
12082
kind: ServiceAccount
12083
automountServiceAccountToken: true
12084
metadata:
12085
name: cert-manager
12086
namespace: cert-manager
12087
labels:
12088
app: cert-manager
12089
app.kubernetes.io/name: cert-manager
12090
app.kubernetes.io/instance: cert-manager
12091
app.kubernetes.io/component: "controller"
12092
app.kubernetes.io/version: "v1.17.0"
12093
---
12094
# Source: cert-manager/templates/webhook-serviceaccount.yaml
12095
apiVersion: v1
12096
kind: ServiceAccount
12097
automountServiceAccountToken: true
12098
metadata:
12099
name: cert-manager-webhook
12100
namespace: cert-manager
12101
labels:
12102
app: webhook
12103
app.kubernetes.io/name: webhook
12104
app.kubernetes.io/instance: cert-manager
12105
app.kubernetes.io/component: "webhook"
12106
app.kubernetes.io/version: "v1.17.0"
12107
---
12108
# Source: cert-manager/templates/cainjector-rbac.yaml
12109
apiVersion: rbac.authorization.k8s.io/v1
12110
kind: ClusterRole
12111
metadata:
12112
name: cert-manager-cainjector
12113
labels:
12114
app: cainjector
12115
app.kubernetes.io/name: cainjector
12116
app.kubernetes.io/instance: cert-manager
12117
app.kubernetes.io/component: "cainjector"
12118
app.kubernetes.io/version: "v1.17.0"
12119
rules:
12120
- apiGroups: ["cert-manager.io"]
12121
resources: ["certificates"]
12122
verbs: ["get", "list", "watch"]
12123
- apiGroups: [""]
12124
resources: ["secrets"]
12125
verbs: ["get", "list", "watch"]
12126
- apiGroups: [""]
12127
resources: ["events"]
12128
verbs: ["get", "create", "update", "patch"]
12129
- apiGroups: ["admissionregistration.k8s.io"]
12130
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
12131
verbs: ["get", "list", "watch", "update", "patch"]
12132
- apiGroups: ["apiregistration.k8s.io"]
12133
resources: ["apiservices"]
12134
verbs: ["get", "list", "watch", "update", "patch"]
12135
- apiGroups: ["apiextensions.k8s.io"]
12136
resources: ["customresourcedefinitions"]
12137
verbs: ["get", "list", "watch", "update", "patch"]
12138
---
12139
# Source: cert-manager/templates/rbac.yaml
12140
# Issuer controller role
12141
apiVersion: rbac.authorization.k8s.io/v1
12142
kind: ClusterRole
12143
metadata:
12144
name: cert-manager-controller-issuers
12145
labels:
12146
app: cert-manager
12147
app.kubernetes.io/name: cert-manager
12148
app.kubernetes.io/instance: cert-manager
12149
app.kubernetes.io/component: "controller"
12150
app.kubernetes.io/version: "v1.17.0"
12151
rules:
12152
- apiGroups: ["cert-manager.io"]
12153
resources: ["issuers", "issuers/status"]
12154
verbs: ["update", "patch"]
12155
- apiGroups: ["cert-manager.io"]
12156
resources: ["issuers"]
12157
verbs: ["get", "list", "watch"]
12158
- apiGroups: [""]
12159
resources: ["secrets"]
12160
verbs: ["get", "list", "watch", "create", "update", "delete"]
12161
- apiGroups: [""]
12162
resources: ["events"]
12163
verbs: ["create", "patch"]
12164
---
12165
# Source: cert-manager/templates/rbac.yaml
12166
# ClusterIssuer controller role
12167
apiVersion: rbac.authorization.k8s.io/v1
12168
kind: ClusterRole
12169
metadata:
12170
name: cert-manager-controller-clusterissuers
12171
labels:
12172
app: cert-manager
12173
app.kubernetes.io/name: cert-manager
12174
app.kubernetes.io/instance: cert-manager
12175
app.kubernetes.io/component: "controller"
12176
app.kubernetes.io/version: "v1.17.0"
12177
rules:
12178
- apiGroups: ["cert-manager.io"]
12179
resources: ["clusterissuers", "clusterissuers/status"]
12180
verbs: ["update", "patch"]
12181
- apiGroups: ["cert-manager.io"]
12182
resources: ["clusterissuers"]
12183
verbs: ["get", "list", "watch"]
12184
- apiGroups: [""]
12185
resources: ["secrets"]
12186
verbs: ["get", "list", "watch", "create", "update", "delete"]
12187
- apiGroups: [""]
12188
resources: ["events"]
12189
verbs: ["create", "patch"]
12190
---
12191
# Source: cert-manager/templates/rbac.yaml
12192
# Certificates controller role
12193
apiVersion: rbac.authorization.k8s.io/v1
12194
kind: ClusterRole
12195
metadata:
12196
name: cert-manager-controller-certificates
12197
labels:
12198
app: cert-manager
12199
app.kubernetes.io/name: cert-manager
12200
app.kubernetes.io/instance: cert-manager
12201
app.kubernetes.io/component: "controller"
12202
app.kubernetes.io/version: "v1.17.0"
12203
rules:
12204
- apiGroups: ["cert-manager.io"]
12205
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
12206
verbs: ["update", "patch"]
12207
- apiGroups: ["cert-manager.io"]
12208
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
12209
verbs: ["get", "list", "watch"]
12210
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
12211
# admission controller enabled:
12212
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
12213
- apiGroups: ["cert-manager.io"]
12214
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
12215
verbs: ["update"]
12216
- apiGroups: ["acme.cert-manager.io"]
12217
resources: ["orders"]
12218
verbs: ["create", "delete", "get", "list", "watch"]
12219
- apiGroups: [""]
12220
resources: ["secrets"]
12221
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
12222
- apiGroups: [""]
12223
resources: ["events"]
12224
verbs: ["create", "patch"]
12225
---
12226
# Source: cert-manager/templates/rbac.yaml
12227
# Orders controller role
12228
apiVersion: rbac.authorization.k8s.io/v1
12229
kind: ClusterRole
12230
metadata:
12231
name: cert-manager-controller-orders
12232
labels:
12233
app: cert-manager
12234
app.kubernetes.io/name: cert-manager
12235
app.kubernetes.io/instance: cert-manager
12236
app.kubernetes.io/component: "controller"
12237
app.kubernetes.io/version: "v1.17.0"
12238
rules:
12239
- apiGroups: ["acme.cert-manager.io"]
12240
resources: ["orders", "orders/status"]
12241
verbs: ["update", "patch"]
12242
- apiGroups: ["acme.cert-manager.io"]
12243
resources: ["orders", "challenges"]
12244
verbs: ["get", "list", "watch"]
12245
- apiGroups: ["cert-manager.io"]
12246
resources: ["clusterissuers", "issuers"]
12247
verbs: ["get", "list", "watch"]
12248
- apiGroups: ["acme.cert-manager.io"]
12249
resources: ["challenges"]
12250
verbs: ["create", "delete"]
12251
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
12252
# admission controller enabled:
12253
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
12254
- apiGroups: ["acme.cert-manager.io"]
12255
resources: ["orders/finalizers"]
12256
verbs: ["update"]
12257
- apiGroups: [""]
12258
resources: ["secrets"]
12259
verbs: ["get", "list", "watch"]
12260
- apiGroups: [""]
12261
resources: ["events"]
12262
verbs: ["create", "patch"]
12263
---
12264
# Source: cert-manager/templates/rbac.yaml
12265
# Challenges controller role
12266
apiVersion: rbac.authorization.k8s.io/v1
12267
kind: ClusterRole
12268
metadata:
12269
name: cert-manager-controller-challenges
12270
labels:
12271
app: cert-manager
12272
app.kubernetes.io/name: cert-manager
12273
app.kubernetes.io/instance: cert-manager
12274
app.kubernetes.io/component: "controller"
12275
app.kubernetes.io/version: "v1.17.0"
12276
rules:
12277
# Use to update challenge resource status
12278
- apiGroups: ["acme.cert-manager.io"]
12279
resources: ["challenges", "challenges/status"]
12280
verbs: ["update", "patch"]
12281
# Used to watch challenge resources
12282
- apiGroups: ["acme.cert-manager.io"]
12283
resources: ["challenges"]
12284
verbs: ["get", "list", "watch"]
12285
# Used to watch challenges, issuer and clusterissuer resources
12286
- apiGroups: ["cert-manager.io"]
12287
resources: ["issuers", "clusterissuers"]
12288
verbs: ["get", "list", "watch"]
12289
# Need to be able to retrieve ACME account private key to complete challenges
12290
- apiGroups: [""]
12291
resources: ["secrets"]
12292
verbs: ["get", "list", "watch"]
12293
# Used to create events
12294
- apiGroups: [""]
12295
resources: ["events"]
12296
verbs: ["create", "patch"]
12297
# HTTP01 rules
12298
- apiGroups: [""]
12299
resources: ["pods", "services"]
12300
verbs: ["get", "list", "watch", "create", "delete"]
12301
- apiGroups: ["networking.k8s.io"]
12302
resources: ["ingresses"]
12303
verbs: ["get", "list", "watch", "create", "delete", "update"]
12304
- apiGroups: [ "gateway.networking.k8s.io" ]
12305
resources: [ "httproutes" ]
12306
verbs: ["get", "list", "watch", "create", "delete", "update"]
12307
# We require the ability to specify a custom hostname when we are creating
12308
# new ingress resources.
12309
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
12310
- apiGroups: ["route.openshift.io"]
12311
resources: ["routes/custom-host"]
12312
verbs: ["create"]
12313
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
12314
# admission controller enabled:
12315
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
12316
- apiGroups: ["acme.cert-manager.io"]
12317
resources: ["challenges/finalizers"]
12318
verbs: ["update"]
12319
# DNS01 rules (duplicated above)
12320
- apiGroups: [""]
12321
resources: ["secrets"]
12322
verbs: ["get", "list", "watch"]
12323
---
12324
# Source: cert-manager/templates/rbac.yaml
12325
# ingress-shim controller role
12326
apiVersion: rbac.authorization.k8s.io/v1
12327
kind: ClusterRole
12328
metadata:
12329
name: cert-manager-controller-ingress-shim
12330
labels:
12331
app: cert-manager
12332
app.kubernetes.io/name: cert-manager
12333
app.kubernetes.io/instance: cert-manager
12334
app.kubernetes.io/component: "controller"
12335
app.kubernetes.io/version: "v1.17.0"
12336
rules:
12337
- apiGroups: ["cert-manager.io"]
12338
resources: ["certificates", "certificaterequests"]
12339
verbs: ["create", "update", "delete"]
12340
- apiGroups: ["cert-manager.io"]
12341
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
12342
verbs: ["get", "list", "watch"]
12343
- apiGroups: ["networking.k8s.io"]
12344
resources: ["ingresses"]
12345
verbs: ["get", "list", "watch"]
12346
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
12347
# admission controller enabled:
12348
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
12349
- apiGroups: ["networking.k8s.io"]
12350
resources: ["ingresses/finalizers"]
12351
verbs: ["update"]
12352
- apiGroups: ["gateway.networking.k8s.io"]
12353
resources: ["gateways", "httproutes"]
12354
verbs: ["get", "list", "watch"]
12355
- apiGroups: ["gateway.networking.k8s.io"]
12356
resources: ["gateways/finalizers", "httproutes/finalizers"]
12357
verbs: ["update"]
12358
- apiGroups: [""]
12359
resources: ["events"]
12360
verbs: ["create", "patch"]
12361
---
12362
# Source: cert-manager/templates/rbac.yaml
12363
apiVersion: rbac.authorization.k8s.io/v1
12364
kind: ClusterRole
12365
metadata:
12366
name: cert-manager-cluster-view
12367
labels:
12368
app: cert-manager
12369
app.kubernetes.io/name: cert-manager
12370
app.kubernetes.io/instance: cert-manager
12371
app.kubernetes.io/component: "controller"
12372
app.kubernetes.io/version: "v1.17.0"
12373
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
12374
rules:
12375
- apiGroups: ["cert-manager.io"]
12376
resources: ["clusterissuers"]
12377
verbs: ["get", "list", "watch"]
12378
---
12379
# Source: cert-manager/templates/rbac.yaml
12380
apiVersion: rbac.authorization.k8s.io/v1
12381
kind: ClusterRole
12382
metadata:
12383
name: cert-manager-view
12384
labels:
12385
app: cert-manager
12386
app.kubernetes.io/name: cert-manager
12387
app.kubernetes.io/instance: cert-manager
12388
app.kubernetes.io/component: "controller"
12389
app.kubernetes.io/version: "v1.17.0"
12390
rbac.authorization.k8s.io/aggregate-to-view: "true"
12391
rbac.authorization.k8s.io/aggregate-to-edit: "true"
12392
rbac.authorization.k8s.io/aggregate-to-admin: "true"
12393
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
12394
rules:
12395
- apiGroups: ["cert-manager.io"]
12396
resources: ["certificates", "certificaterequests", "issuers"]
12397
verbs: ["get", "list", "watch"]
12398
- apiGroups: ["acme.cert-manager.io"]
12399
resources: ["challenges", "orders"]
12400
verbs: ["get", "list", "watch"]
12401
---
12402
# Source: cert-manager/templates/rbac.yaml
12403
apiVersion: rbac.authorization.k8s.io/v1
12404
kind: ClusterRole
12405
metadata:
12406
name: cert-manager-edit
12407
labels:
12408
app: cert-manager
12409
app.kubernetes.io/name: cert-manager
12410
app.kubernetes.io/instance: cert-manager
12411
app.kubernetes.io/component: "controller"
12412
app.kubernetes.io/version: "v1.17.0"
12413
rbac.authorization.k8s.io/aggregate-to-edit: "true"
12414
rbac.authorization.k8s.io/aggregate-to-admin: "true"
12415
rules:
12416
- apiGroups: ["cert-manager.io"]
12417
resources: ["certificates", "certificaterequests", "issuers"]
12418
verbs: ["create", "delete", "deletecollection", "patch", "update"]
12419
- apiGroups: ["cert-manager.io"]
12420
resources: ["certificates/status"]
12421
verbs: ["update"]
12422
- apiGroups: ["acme.cert-manager.io"]
12423
resources: ["challenges", "orders"]
12424
verbs: ["create", "delete", "deletecollection", "patch", "update"]
12425
---
12426
# Source: cert-manager/templates/rbac.yaml
12427
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
12428
apiVersion: rbac.authorization.k8s.io/v1
12429
kind: ClusterRole
12430
metadata:
12431
name: cert-manager-controller-approve:cert-manager-io
12432
labels:
12433
app: cert-manager
12434
app.kubernetes.io/name: cert-manager
12435
app.kubernetes.io/instance: cert-manager
12436
app.kubernetes.io/component: "cert-manager"
12437
app.kubernetes.io/version: "v1.17.0"
12438
rules:
12439
- apiGroups: ["cert-manager.io"]
12440
resources: ["signers"]
12441
verbs: ["approve"]
12442
resourceNames:
12443
- "issuers.cert-manager.io/*"
12444
- "clusterissuers.cert-manager.io/*"
12445
---
12446
# Source: cert-manager/templates/rbac.yaml
12447
# Permission to:
12448
# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
12449
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
12450
apiVersion: rbac.authorization.k8s.io/v1
12451
kind: ClusterRole
12452
metadata:
12453
name: cert-manager-controller-certificatesigningrequests
12454
labels:
12455
app: cert-manager
12456
app.kubernetes.io/name: cert-manager
12457
app.kubernetes.io/instance: cert-manager
12458
app.kubernetes.io/component: "cert-manager"
12459
app.kubernetes.io/version: "v1.17.0"
12460
rules:
12461
- apiGroups: ["certificates.k8s.io"]
12462
resources: ["certificatesigningrequests"]
12463
verbs: ["get", "list", "watch", "update"]
12464
- apiGroups: ["certificates.k8s.io"]
12465
resources: ["certificatesigningrequests/status"]
12466
verbs: ["update", "patch"]
12467
- apiGroups: ["certificates.k8s.io"]
12468
resources: ["signers"]
12469
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
12470
verbs: ["sign"]
12471
- apiGroups: ["authorization.k8s.io"]
12472
resources: ["subjectaccessreviews"]
12473
verbs: ["create"]
12474
---
12475
# Source: cert-manager/templates/webhook-rbac.yaml
12476
apiVersion: rbac.authorization.k8s.io/v1
12477
kind: ClusterRole
12478
metadata:
12479
name: cert-manager-webhook:subjectaccessreviews
12480
labels:
12481
app: webhook
12482
app.kubernetes.io/name: webhook
12483
app.kubernetes.io/instance: cert-manager
12484
app.kubernetes.io/component: "webhook"
12485
app.kubernetes.io/version: "v1.17.0"
12486
rules:
12487
- apiGroups: ["authorization.k8s.io"]
12488
resources: ["subjectaccessreviews"]
12489
verbs: ["create"]
12490
---
12491
# Source: cert-manager/templates/cainjector-rbac.yaml
12492
apiVersion: rbac.authorization.k8s.io/v1
12493
kind: ClusterRoleBinding
12494
metadata:
12495
name: cert-manager-cainjector
12496
labels:
12497
app: cainjector
12498
app.kubernetes.io/name: cainjector
12499
app.kubernetes.io/instance: cert-manager
12500
app.kubernetes.io/component: "cainjector"
12501
app.kubernetes.io/version: "v1.17.0"
12502
roleRef:
12503
apiGroup: rbac.authorization.k8s.io
12504
kind: ClusterRole
12505
name: cert-manager-cainjector
12506
subjects:
12507
- name: cert-manager-cainjector
12508
namespace: cert-manager
12509
kind: ServiceAccount
12510
---
12511
# Source: cert-manager/templates/rbac.yaml
12512
apiVersion: rbac.authorization.k8s.io/v1
12513
kind: ClusterRoleBinding
12514
metadata:
12515
name: cert-manager-controller-issuers
12516
labels:
12517
app: cert-manager
12518
app.kubernetes.io/name: cert-manager
12519
app.kubernetes.io/instance: cert-manager
12520
app.kubernetes.io/component: "controller"
12521
app.kubernetes.io/version: "v1.17.0"
12522
roleRef:
12523
apiGroup: rbac.authorization.k8s.io
12524
kind: ClusterRole
12525
name: cert-manager-controller-issuers
12526
subjects:
12527
- name: cert-manager
12528
namespace: cert-manager
12529
kind: ServiceAccount
12530
---
12531
# Source: cert-manager/templates/rbac.yaml
12532
apiVersion: rbac.authorization.k8s.io/v1
12533
kind: ClusterRoleBinding
12534
metadata:
12535
name: cert-manager-controller-clusterissuers
12536
labels:
12537
app: cert-manager
12538
app.kubernetes.io/name: cert-manager
12539
app.kubernetes.io/instance: cert-manager
12540
app.kubernetes.io/component: "controller"
12541
app.kubernetes.io/version: "v1.17.0"
12542
roleRef:
12543
apiGroup: rbac.authorization.k8s.io
12544
kind: ClusterRole
12545
name: cert-manager-controller-clusterissuers
12546
subjects:
12547
- name: cert-manager
12548
namespace: cert-manager
12549
kind: ServiceAccount
12550
---
12551
# Source: cert-manager/templates/rbac.yaml
12552
apiVersion: rbac.authorization.k8s.io/v1
12553
kind: ClusterRoleBinding
12554
metadata:
12555
name: cert-manager-controller-certificates
12556
labels:
12557
app: cert-manager
12558
app.kubernetes.io/name: cert-manager
12559
app.kubernetes.io/instance: cert-manager
12560
app.kubernetes.io/component: "controller"
12561
app.kubernetes.io/version: "v1.17.0"
12562
roleRef:
12563
apiGroup: rbac.authorization.k8s.io
12564
kind: ClusterRole
12565
name: cert-manager-controller-certificates
12566
subjects:
12567
- name: cert-manager
12568
namespace: cert-manager
12569
kind: ServiceAccount
12570
---
12571
# Source: cert-manager/templates/rbac.yaml
12572
apiVersion: rbac.authorization.k8s.io/v1
12573
kind: ClusterRoleBinding
12574
metadata:
12575
name: cert-manager-controller-orders
12576
labels:
12577
app: cert-manager
12578
app.kubernetes.io/name: cert-manager
12579
app.kubernetes.io/instance: cert-manager
12580
app.kubernetes.io/component: "controller"
12581
app.kubernetes.io/version: "v1.17.0"
12582
roleRef:
12583
apiGroup: rbac.authorization.k8s.io
12584
kind: ClusterRole
12585
name: cert-manager-controller-orders
12586
subjects:
12587
- name: cert-manager
12588
namespace: cert-manager
12589
kind: ServiceAccount
12590
---
12591
# Source: cert-manager/templates/rbac.yaml
12592
apiVersion: rbac.authorization.k8s.io/v1
12593
kind: ClusterRoleBinding
12594
metadata:
12595
name: cert-manager-controller-challenges
12596
labels:
12597
app: cert-manager
12598
app.kubernetes.io/name: cert-manager
12599
app.kubernetes.io/instance: cert-manager
12600
app.kubernetes.io/component: "controller"
12601
app.kubernetes.io/version: "v1.17.0"
12602
roleRef:
12603
apiGroup: rbac.authorization.k8s.io
12604
kind: ClusterRole
12605
name: cert-manager-controller-challenges
12606
subjects:
12607
- name: cert-manager
12608
namespace: cert-manager
12609
kind: ServiceAccount
12610
---
12611
# Source: cert-manager/templates/rbac.yaml
12612
apiVersion: rbac.authorization.k8s.io/v1
12613
kind: ClusterRoleBinding
12614
metadata:
12615
name: cert-manager-controller-ingress-shim
12616
labels:
12617
app: cert-manager
12618
app.kubernetes.io/name: cert-manager
12619
app.kubernetes.io/instance: cert-manager
12620
app.kubernetes.io/component: "controller"
12621
app.kubernetes.io/version: "v1.17.0"
12622
roleRef:
12623
apiGroup: rbac.authorization.k8s.io
12624
kind: ClusterRole
12625
name: cert-manager-controller-ingress-shim
12626
subjects:
12627
- name: cert-manager
12628
namespace: cert-manager
12629
kind: ServiceAccount
12630
---
12631
# Source: cert-manager/templates/rbac.yaml
12632
apiVersion: rbac.authorization.k8s.io/v1
12633
kind: ClusterRoleBinding
12634
metadata:
12635
name: cert-manager-controller-approve:cert-manager-io
12636
labels:
12637
app: cert-manager
12638
app.kubernetes.io/name: cert-manager
12639
app.kubernetes.io/instance: cert-manager
12640
app.kubernetes.io/component: "cert-manager"
12641
app.kubernetes.io/version: "v1.17.0"
12642
roleRef:
12643
apiGroup: rbac.authorization.k8s.io
12644
kind: ClusterRole
12645
name: cert-manager-controller-approve:cert-manager-io
12646
subjects:
12647
- name: cert-manager
12648
namespace: cert-manager
12649
kind: ServiceAccount
12650
---
12651
# Source: cert-manager/templates/rbac.yaml
12652
apiVersion: rbac.authorization.k8s.io/v1
12653
kind: ClusterRoleBinding
12654
metadata:
12655
name: cert-manager-controller-certificatesigningrequests
12656
labels:
12657
app: cert-manager
12658
app.kubernetes.io/name: cert-manager
12659
app.kubernetes.io/instance: cert-manager
12660
app.kubernetes.io/component: "cert-manager"
12661
app.kubernetes.io/version: "v1.17.0"
12662
roleRef:
12663
apiGroup: rbac.authorization.k8s.io
12664
kind: ClusterRole
12665
name: cert-manager-controller-certificatesigningrequests
12666
subjects:
12667
- name: cert-manager
12668
namespace: cert-manager
12669
kind: ServiceAccount
12670
---
12671
# Source: cert-manager/templates/webhook-rbac.yaml
12672
apiVersion: rbac.authorization.k8s.io/v1
12673
kind: ClusterRoleBinding
12674
metadata:
12675
name: cert-manager-webhook:subjectaccessreviews
12676
labels:
12677
app: webhook
12678
app.kubernetes.io/name: webhook
12679
app.kubernetes.io/instance: cert-manager
12680
app.kubernetes.io/component: "webhook"
12681
app.kubernetes.io/version: "v1.17.0"
12682
roleRef:
12683
apiGroup: rbac.authorization.k8s.io
12684
kind: ClusterRole
12685
name: cert-manager-webhook:subjectaccessreviews
12686
subjects:
12687
- kind: ServiceAccount
12688
name: cert-manager-webhook
12689
namespace: cert-manager
12690
---
12691
# Source: cert-manager/templates/cainjector-rbac.yaml
12692
# leader election rules
12693
apiVersion: rbac.authorization.k8s.io/v1
12694
kind: Role
12695
metadata:
12696
name: cert-manager-cainjector:leaderelection
12697
namespace: kube-system
12698
labels:
12699
app: cainjector
12700
app.kubernetes.io/name: cainjector
12701
app.kubernetes.io/instance: cert-manager
12702
app.kubernetes.io/component: "cainjector"
12703
app.kubernetes.io/version: "v1.17.0"
12704
rules:
12705
# Used for leader election by the controller
12706
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
12707
# see cmd/cainjector/start.go#L113
12708
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
12709
# see cmd/cainjector/start.go#L137
12710
- apiGroups: ["coordination.k8s.io"]
12711
resources: ["leases"]
12712
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
12713
verbs: ["get", "update", "patch"]
12714
- apiGroups: ["coordination.k8s.io"]
12715
resources: ["leases"]
12716
verbs: ["create"]
12717
---
12718
# Source: cert-manager/templates/rbac.yaml
12719
apiVersion: rbac.authorization.k8s.io/v1
12720
kind: Role
12721
metadata:
12722
name: cert-manager:leaderelection
12723
namespace: kube-system
12724
labels:
12725
app: cert-manager
12726
app.kubernetes.io/name: cert-manager
12727
app.kubernetes.io/instance: cert-manager
12728
app.kubernetes.io/component: "controller"
12729
app.kubernetes.io/version: "v1.17.0"
12730
rules:
12731
- apiGroups: ["coordination.k8s.io"]
12732
resources: ["leases"]
12733
resourceNames: ["cert-manager-controller"]
12734
verbs: ["get", "update", "patch"]
12735
- apiGroups: ["coordination.k8s.io"]
12736
resources: ["leases"]
12737
verbs: ["create"]
12738
---
12739
# Source: cert-manager/templates/rbac.yaml
12740
apiVersion: rbac.authorization.k8s.io/v1
12741
kind: Role
12742
metadata:
12743
name: cert-manager-tokenrequest
12744
namespace: cert-manager
12745
labels:
12746
app: cert-manager
12747
app.kubernetes.io/name: cert-manager
12748
app.kubernetes.io/instance: cert-manager
12749
app.kubernetes.io/component: "controller"
12750
app.kubernetes.io/version: "v1.17.0"
12751
rules:
12752
- apiGroups: [""]
12753
resources: ["serviceaccounts/token"]
12754
resourceNames: ["cert-manager"]
12755
verbs: ["create"]
12756
---
12757
# Source: cert-manager/templates/webhook-rbac.yaml
12758
apiVersion: rbac.authorization.k8s.io/v1
12759
kind: Role
12760
metadata:
12761
name: cert-manager-webhook:dynamic-serving
12762
namespace: cert-manager
12763
labels:
12764
app: webhook
12765
app.kubernetes.io/name: webhook
12766
app.kubernetes.io/instance: cert-manager
12767
app.kubernetes.io/component: "webhook"
12768
app.kubernetes.io/version: "v1.17.0"
12769
rules:
12770
- apiGroups: [""]
12771
resources: ["secrets"]
12772
resourceNames:
12773
- 'cert-manager-webhook-ca'
12774
verbs: ["get", "list", "watch", "update"]
12775
# It's not possible to grant CREATE permission on a single resourceName.
12776
- apiGroups: [""]
12777
resources: ["secrets"]
12778
verbs: ["create"]
12779
---
12780
# Source: cert-manager/templates/cainjector-rbac.yaml
12781
# grant cert-manager permission to manage the leaderelection configmap in the
12782
# leader election namespace
12783
apiVersion: rbac.authorization.k8s.io/v1
12784
kind: RoleBinding
12785
metadata:
12786
name: cert-manager-cainjector:leaderelection
12787
namespace: kube-system
12788
labels:
12789
app: cainjector
12790
app.kubernetes.io/name: cainjector
12791
app.kubernetes.io/instance: cert-manager
12792
app.kubernetes.io/component: "cainjector"
12793
app.kubernetes.io/version: "v1.17.0"
12794
roleRef:
12795
apiGroup: rbac.authorization.k8s.io
12796
kind: Role
12797
name: cert-manager-cainjector:leaderelection
12798
subjects:
12799
- kind: ServiceAccount
12800
name: cert-manager-cainjector
12801
namespace: cert-manager
12802
---
12803
# Source: cert-manager/templates/rbac.yaml
12804
# grant cert-manager permission to manage the leaderelection configmap in the
12805
# leader election namespace
12806
apiVersion: rbac.authorization.k8s.io/v1
12807
kind: RoleBinding
12808
metadata:
12809
name: cert-manager:leaderelection
12810
namespace: kube-system
12811
labels:
12812
app: cert-manager
12813
app.kubernetes.io/name: cert-manager
12814
app.kubernetes.io/instance: cert-manager
12815
app.kubernetes.io/component: "controller"
12816
app.kubernetes.io/version: "v1.17.0"
12817
roleRef:
12818
apiGroup: rbac.authorization.k8s.io
12819
kind: Role
12820
name: cert-manager:leaderelection
12821
subjects:
12822
- kind: ServiceAccount
12823
name: cert-manager
12824
namespace: cert-manager
12825
---
12826
# Source: cert-manager/templates/rbac.yaml
12827
# grant cert-manager permission to create tokens for the serviceaccount
12828
apiVersion: rbac.authorization.k8s.io/v1
12829
kind: RoleBinding
12830
metadata:
12831
name: cert-manager-cert-manager-tokenrequest
12832
namespace: cert-manager
12833
labels:
12834
app: cert-manager
12835
app.kubernetes.io/name: cert-manager
12836
app.kubernetes.io/instance: cert-manager
12837
app.kubernetes.io/component: "controller"
12838
app.kubernetes.io/version: "v1.17.0"
12839
roleRef:
12840
apiGroup: rbac.authorization.k8s.io
12841
kind: Role
12842
name: cert-manager-tokenrequest
12843
subjects:
12844
- kind: ServiceAccount
12845
name: cert-manager
12846
namespace: cert-manager
12847
---
12848
# Source: cert-manager/templates/webhook-rbac.yaml
12849
apiVersion: rbac.authorization.k8s.io/v1
12850
kind: RoleBinding
12851
metadata:
12852
name: cert-manager-webhook:dynamic-serving
12853
namespace: cert-manager
12854
labels:
12855
app: webhook
12856
app.kubernetes.io/name: webhook
12857
app.kubernetes.io/instance: cert-manager
12858
app.kubernetes.io/component: "webhook"
12859
app.kubernetes.io/version: "v1.17.0"
12860
roleRef:
12861
apiGroup: rbac.authorization.k8s.io
12862
kind: Role
12863
name: cert-manager-webhook:dynamic-serving
12864
subjects:
12865
- kind: ServiceAccount
12866
name: cert-manager-webhook
12867
namespace: cert-manager
12868
---
12869
# Source: cert-manager/templates/cainjector-service.yaml
12870
apiVersion: v1
12871
kind: Service
12872
metadata:
12873
name: cert-manager-cainjector
12874
namespace: cert-manager
12875
labels:
12876
app: cainjector
12877
app.kubernetes.io/name: cainjector
12878
app.kubernetes.io/instance: cert-manager
12879
app.kubernetes.io/component: "cainjector"
12880
app.kubernetes.io/version: "v1.17.0"
12881
spec:
12882
type: ClusterIP
12883
ports:
12884
- protocol: TCP
12885
port: 9402
12886
name: http-metrics
12887
selector:
12888
app.kubernetes.io/name: cainjector
12889
app.kubernetes.io/instance: cert-manager
12890
app.kubernetes.io/component: "cainjector"
12891
---
12892
# Source: cert-manager/templates/service.yaml
12893
apiVersion: v1
12894
kind: Service
12895
metadata:
12896
name: cert-manager
12897
namespace: cert-manager
12898
labels:
12899
app: cert-manager
12900
app.kubernetes.io/name: cert-manager
12901
app.kubernetes.io/instance: cert-manager
12902
app.kubernetes.io/component: "controller"
12903
app.kubernetes.io/version: "v1.17.0"
12904
spec:
12905
type: ClusterIP
12906
ports:
12907
- protocol: TCP
12908
port: 9402
12909
name: tcp-prometheus-servicemonitor
12910
targetPort: 9402
12911
selector:
12912
app.kubernetes.io/name: cert-manager
12913
app.kubernetes.io/instance: cert-manager
12914
app.kubernetes.io/component: "controller"
12915
---
12916
# Source: cert-manager/templates/webhook-service.yaml
12917
apiVersion: v1
12918
kind: Service
12919
metadata:
12920
name: cert-manager-webhook
12921
namespace: cert-manager
12922
labels:
12923
app: webhook
12924
app.kubernetes.io/name: webhook
12925
app.kubernetes.io/instance: cert-manager
12926
app.kubernetes.io/component: "webhook"
12927
app.kubernetes.io/version: "v1.17.0"
12928
spec:
12929
type: ClusterIP
12930
ports:
12931
- name: https
12932
port: 443
12933
protocol: TCP
12934
targetPort: "https"
12935
- name: metrics
12936
port: 9402
12937
protocol: TCP
12938
targetPort: "http-metrics"
12939
selector:
12940
app.kubernetes.io/name: webhook
12941
app.kubernetes.io/instance: cert-manager
12942
app.kubernetes.io/component: "webhook"
12943
---
12944
# Source: cert-manager/templates/cainjector-deployment.yaml
12945
apiVersion: apps/v1
12946
kind: Deployment
12947
metadata:
12948
name: cert-manager-cainjector
12949
namespace: cert-manager
12950
labels:
12951
app: cainjector
12952
app.kubernetes.io/name: cainjector
12953
app.kubernetes.io/instance: cert-manager
12954
app.kubernetes.io/component: "cainjector"
12955
app.kubernetes.io/version: "v1.17.0"
12956
spec:
12957
replicas: 1
12958
selector:
12959
matchLabels:
12960
app.kubernetes.io/name: cainjector
12961
app.kubernetes.io/instance: cert-manager
12962
app.kubernetes.io/component: "cainjector"
12963
template:
12964
metadata:
12965
labels:
12966
app: cainjector
12967
app.kubernetes.io/name: cainjector
12968
app.kubernetes.io/instance: cert-manager
12969
app.kubernetes.io/component: "cainjector"
12970
app.kubernetes.io/version: "v1.17.0"
12971
annotations:
12972
prometheus.io/path: "/metrics"
12973
prometheus.io/scrape: 'true'
12974
prometheus.io/port: '9402'
12975
spec:
12976
serviceAccountName: cert-manager-cainjector
12977
enableServiceLinks: false
12978
securityContext:
12979
runAsNonRoot: true
12980
seccompProfile:
12981
type: RuntimeDefault
12982
containers:
12983
- name: cert-manager-cainjector
12984
image: "quay.io/jetstack/cert-manager-cainjector:v1.17.0"
12985
imagePullPolicy: IfNotPresent
12986
args:
12987
- --v=2
12988
- --leader-election-namespace=kube-system
12989
ports:
12990
- containerPort: 9402
12991
name: http-metrics
12992
protocol: TCP
12993
env:
12994
- name: POD_NAMESPACE
12995
valueFrom:
12996
fieldRef:
12997
fieldPath: metadata.namespace
12998
securityContext:
12999
allowPrivilegeEscalation: false
13000
capabilities:
13001
drop:
13002
- ALL
13003
readOnlyRootFilesystem: true
13004
nodeSelector:
13005
kubernetes.io/os: linux
13006
---
13007
# Source: cert-manager/templates/deployment.yaml
13008
apiVersion: apps/v1
13009
kind: Deployment
13010
metadata:
13011
name: cert-manager
13012
namespace: cert-manager
13013
labels:
13014
app: cert-manager
13015
app.kubernetes.io/name: cert-manager
13016
app.kubernetes.io/instance: cert-manager
13017
app.kubernetes.io/component: "controller"
13018
app.kubernetes.io/version: "v1.17.0"
13019
spec:
13020
replicas: 1
13021
selector:
13022
matchLabels:
13023
app.kubernetes.io/name: cert-manager
13024
app.kubernetes.io/instance: cert-manager
13025
app.kubernetes.io/component: "controller"
13026
template:
13027
metadata:
13028
labels:
13029
app: cert-manager
13030
app.kubernetes.io/name: cert-manager
13031
app.kubernetes.io/instance: cert-manager
13032
app.kubernetes.io/component: "controller"
13033
app.kubernetes.io/version: "v1.17.0"
13034
annotations:
13035
prometheus.io/path: "/metrics"
13036
prometheus.io/scrape: 'true'
13037
prometheus.io/port: '9402'
13038
spec:
13039
serviceAccountName: cert-manager
13040
enableServiceLinks: false
13041
securityContext:
13042
runAsNonRoot: true
13043
seccompProfile:
13044
type: RuntimeDefault
13045
containers:
13046
- name: cert-manager-controller
13047
image: "quay.io/jetstack/cert-manager-controller:v1.17.0"
13048
imagePullPolicy: IfNotPresent
13049
args:
13050
- --v=2
13051
- --cluster-resource-namespace=$(POD_NAMESPACE)
13052
- --leader-election-namespace=kube-system
13053
- --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.17.0
13054
- --max-concurrent-challenges=60
13055
ports:
13056
- containerPort: 9402
13057
name: http-metrics
13058
protocol: TCP
13059
- containerPort: 9403
13060
name: http-healthz
13061
protocol: TCP
13062
securityContext:
13063
allowPrivilegeEscalation: false
13064
capabilities:
13065
drop:
13066
- ALL
13067
readOnlyRootFilesystem: true
13068
env:
13069
- name: POD_NAMESPACE
13070
valueFrom:
13071
fieldRef:
13072
fieldPath: metadata.namespace
13073
# LivenessProbe settings are based on those used for the Kubernetes
13074
# controller-manager. See:
13075
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
13076
livenessProbe:
13077
httpGet:
13078
port: http-healthz
13079
path: /livez
13080
scheme: HTTP
13081
initialDelaySeconds: 10
13082
periodSeconds: 10
13083
timeoutSeconds: 15
13084
successThreshold: 1
13085
failureThreshold: 8
13086
nodeSelector:
13087
kubernetes.io/os: linux
13088
---
13089
# Source: cert-manager/templates/webhook-deployment.yaml
13090
apiVersion: apps/v1
13091
kind: Deployment
13092
metadata:
13093
name: cert-manager-webhook
13094
namespace: cert-manager
13095
labels:
13096
app: webhook
13097
app.kubernetes.io/name: webhook
13098
app.kubernetes.io/instance: cert-manager
13099
app.kubernetes.io/component: "webhook"
13100
app.kubernetes.io/version: "v1.17.0"
13101
spec:
13102
replicas: 1
13103
selector:
13104
matchLabels:
13105
app.kubernetes.io/name: webhook
13106
app.kubernetes.io/instance: cert-manager
13107
app.kubernetes.io/component: "webhook"
13108
template:
13109
metadata:
13110
labels:
13111
app: webhook
13112
app.kubernetes.io/name: webhook
13113
app.kubernetes.io/instance: cert-manager
13114
app.kubernetes.io/component: "webhook"
13115
app.kubernetes.io/version: "v1.17.0"
13116
annotations:
13117
prometheus.io/path: "/metrics"
13118
prometheus.io/scrape: 'true'
13119
prometheus.io/port: '9402'
13120
spec:
13121
serviceAccountName: cert-manager-webhook
13122
enableServiceLinks: false
13123
securityContext:
13124
runAsNonRoot: true
13125
seccompProfile:
13126
type: RuntimeDefault
13127
containers:
13128
- name: cert-manager-webhook
13129
image: "quay.io/jetstack/cert-manager-webhook:v1.17.0"
13130
imagePullPolicy: IfNotPresent
13131
args:
13132
- --v=2
13133
- --secure-port=10250
13134
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
13135
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
13136
- --dynamic-serving-dns-names=cert-manager-webhook
13137
- --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
13138
- --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
13139
13140
ports:
13141
- name: https
13142
protocol: TCP
13143
containerPort: 10250
13144
- name: healthcheck
13145
protocol: TCP
13146
containerPort: 6080
13147
- containerPort: 9402
13148
name: http-metrics
13149
protocol: TCP
13150
livenessProbe:
13151
httpGet:
13152
path: /livez
13153
port: 6080
13154
scheme: HTTP
13155
initialDelaySeconds: 60
13156
periodSeconds: 10
13157
timeoutSeconds: 1
13158
successThreshold: 1
13159
failureThreshold: 3
13160
readinessProbe:
13161
httpGet:
13162
path: /healthz
13163
port: 6080
13164
scheme: HTTP
13165
initialDelaySeconds: 5
13166
periodSeconds: 5
13167
timeoutSeconds: 1
13168
successThreshold: 1
13169
failureThreshold: 3
13170
securityContext:
13171
allowPrivilegeEscalation: false
13172
capabilities:
13173
drop:
13174
- ALL
13175
readOnlyRootFilesystem: true
13176
env:
13177
- name: POD_NAMESPACE
13178
valueFrom:
13179
fieldRef:
13180
fieldPath: metadata.namespace
13181
nodeSelector:
13182
kubernetes.io/os: linux
13183
---
13184
# Source: cert-manager/templates/crds.yaml
13185
#
13186
# START crd
13187
---
13188
# Source: cert-manager/templates/crds.yaml
13189
# START crd
13190
---
13191
# Source: cert-manager/templates/crds.yaml
13192
# START crd
13193
---
13194
# Source: cert-manager/templates/crds.yaml
13195
# START crd
13196
---
13197
# Source: cert-manager/templates/crds.yaml
13198
# START crd
13199
---
13200
# Source: cert-manager/templates/crds.yaml
13201
# START crd
13202
---
13203
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
13204
apiVersion: admissionregistration.k8s.io/v1
13205
kind: MutatingWebhookConfiguration
13206
metadata:
13207
name: cert-manager-webhook
13208
labels:
13209
app: webhook
13210
app.kubernetes.io/name: webhook
13211
app.kubernetes.io/instance: cert-manager
13212
app.kubernetes.io/component: "webhook"
13213
app.kubernetes.io/version: "v1.17.0"
13214
annotations:
13215
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
13216
webhooks:
13217
- name: webhook.cert-manager.io
13218
rules:
13219
- apiGroups:
13220
- "cert-manager.io"
13221
apiVersions:
13222
- "v1"
13223
operations:
13224
- CREATE
13225
resources:
13226
- "certificaterequests"
13227
admissionReviewVersions: ["v1"]
13228
# This webhook only accepts v1 cert-manager resources.
13229
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
13230
# this webhook (after the resources have been converted to v1).
13231
matchPolicy: Equivalent
13232
timeoutSeconds: 30
13233
failurePolicy: Fail
13234
# Only include 'sideEffects' field in Kubernetes 1.12+
13235
sideEffects: None
13236
clientConfig:
13237
service:
13238
name: cert-manager-webhook
13239
namespace: cert-manager
13240
path: /mutate
13241
---
13242
# Source: cert-manager/templates/webhook-validating-webhook.yaml
13243
apiVersion: admissionregistration.k8s.io/v1
13244
kind: ValidatingWebhookConfiguration
13245
metadata:
13246
name: cert-manager-webhook
13247
labels:
13248
app: webhook
13249
app.kubernetes.io/name: webhook
13250
app.kubernetes.io/instance: cert-manager
13251
app.kubernetes.io/component: "webhook"
13252
app.kubernetes.io/version: "v1.17.0"
13253
annotations:
13254
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
13255
webhooks:
13256
- name: webhook.cert-manager.io
13257
namespaceSelector:
13258
matchExpressions:
13259
- key: cert-manager.io/disable-validation
13260
operator: NotIn
13261
values:
13262
- "true"
13263
rules:
13264
- apiGroups:
13265
- "cert-manager.io"
13266
- "acme.cert-manager.io"
13267
apiVersions:
13268
- "v1"
13269
operations:
13270
- CREATE
13271
- UPDATE
13272
resources:
13273
- "*/*"
13274
admissionReviewVersions: ["v1"]
13275
# This webhook only accepts v1 cert-manager resources.
13276
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
13277
# this webhook (after the resources have been converted to v1).
13278
matchPolicy: Equivalent
13279
timeoutSeconds: 30
13280
failurePolicy: Fail
13281
sideEffects: None
13282
clientConfig:
13283
service:
13284
name: cert-manager-webhook
13285
namespace: cert-manager
13286
path: /validate
13287