From e1c0c42559d43d615e0bd612b7a9cc1fa4c899fd Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 9 Dec 2024 19:07:38 +0530 Subject: [PATCH 1/8] 15546: Add support for hostPath --- config/core/300-resources/configuration.yaml | 6 +- config/core/300-resources/revision.yaml | 2904 +++++++++-------- config/core/300-resources/service.yaml | 6 +- config/core/configmaps/features.yaml | 12 +- hack/schemapatch-config.yaml | 107 +- pkg/apis/config/features.go | 3 + pkg/apis/config/features_test.go | 18 + pkg/apis/serving/fieldmask.go | 4 + pkg/apis/serving/k8s_validation.go | 53 + pkg/apis/serving/k8s_validation_test.go | 50 + .../route/resources/service_test.go | 1 + 11 files changed, 1728 insertions(+), 1436 deletions(-) diff --git a/config/core/300-resources/configuration.yaml b/config/core/300-resources/configuration.yaml index 2c43aaa5753f..a653d65d54ef 100644 --- a/config/core/300-resources/configuration.yaml +++ b/config/core/300-resources/configuration.yaml @@ -1213,6 +1213,10 @@ spec: description: This is accessible behind a feature flag - kubernetes.podspec-emptydir type: object x-kubernetes-preserve-unknown-fields: true + hostPath: + description: This is accessible behind a feature flag - kubernetes.podspec-hostpath + type: object + x-kubernetes-preserve-unknown-fields: true name: description: |- name of the volume. @@ -1578,4 +1582,4 @@ spec: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. type: integer - format: int64 + format: int64 \ No newline at end of file diff --git a/config/core/300-resources/revision.yaml b/config/core/300-resources/revision.yaml index b4651d9bfe53..6f45a63aa361 100644 --- a/config/core/300-resources/revision.yaml +++ b/config/core/300-resources/revision.yaml @@ -17,23 +17,26 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: revisions.serving.knative.dev + name: services.serving.knative.dev labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/version: devel knative.dev/crd-install: "true" + duck.knative.dev/addressable: "true" + duck.knative.dev/podspecable: "true" spec: group: serving.knative.dev names: - kind: Revision - plural: revisions - singular: revision + kind: Service + plural: services + singular: service categories: - all - knative - serving shortNames: - - rev + - kservice + - ksvc scope: Namespaced versions: - name: v1 @@ -42,33 +45,38 @@ spec: subresources: status: {} additionalPrinterColumns: - - name: Config Name + - name: URL type: string - jsonPath: ".metadata.labels['serving\\.knative\\.dev/configuration']" - - name: Generation - type: string # int in string form :( - jsonPath: ".metadata.labels['serving\\.knative\\.dev/configurationGeneration']" + jsonPath: .status.url + - name: LatestCreated + type: string + jsonPath: .status.latestCreatedRevisionName + - name: LatestReady + type: string + jsonPath: .status.latestReadyRevisionName - name: Ready type: string jsonPath: ".status.conditions[?(@.type=='Ready')].status" - name: Reason type: string jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - - name: Actual Replicas - type: integer - jsonPath: ".status.actualReplicas" - - name: Desired Replicas - type: integer - jsonPath: ".status.desiredReplicas" schema: openAPIV3Schema: description: |- - Revision is an immutable snapshot of code and configuration. A revision - references a container image. Revisions are created by updates to a - Configuration. + Service acts as a top-level container that manages a Route and Configuration + which implement a network service. Service exists to provide a singular + abstraction which can be access controlled, reasoned about, and which + encapsulates software lifecycle decisions such as rollout policy and + team resource ownership. Service acts only as an orchestrator of the + underlying Routes and Configurations (much as a kubernetes Deployment + orchestrates ReplicaSets), and its usage is optional but recommended. + + The Service's controller will track the statuses of its owned Configuration + and Route, reflecting their statuses and conditions as its own. - See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#revision + + See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#service type: object properties: apiVersion: @@ -89,1417 +97,1522 @@ spec: metadata: type: object spec: - description: RevisionSpec holds the desired state of the Revision (from the client). + description: |- + ServiceSpec represents the configuration for the Service object. + A Service's specification is the union of the specifications for a Route + and Configuration. The Service restricts what can be expressed in these + fields, e.g. the Route must reference the provided Configuration; + however, these limitations also enable friendlier defaulting, + e.g. Route never needs a Configuration name, and may be defaulted to + the appropriate "run latest" spec. type: object - required: - - containers properties: - affinity: - description: This is accessible behind a feature flag - kubernetes.podspec-affinity + template: + description: Template holds the latest specification for the Revision to be stamped out. type: object - x-kubernetes-preserve-unknown-fields: true - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containerConcurrency: - description: |- - ContainerConcurrency specifies the maximum allowed in-flight (concurrent) - requests per container of the Revision. Defaults to `0` which means - concurrency to the application is not limited, and the system decides the - target concurrency for the autoscaler. - type: integer - format: int64 - containers: - description: |- - List of containers belonging to the pod. - Containers cannot currently be added or removed. - There must be at least one container in a Pod. - Cannot be updated. - type: array - items: - description: A single application container that you want to run within a pod. - type: object - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - type: array - items: + properties: + metadata: + type: object + properties: + annotations: + type: object + additionalProperties: + type: string + finalizers: + type: array + items: + type: string + labels: + type: object + additionalProperties: + type: string + name: type: string - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - type: array - items: + namespace: type: string - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - type: array - items: - description: EnvVar represents an environment variable present in a Container. - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - type: object - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - type: object - required: - - key - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - x-kubernetes-map-type: atomic - fieldRef: - description: This is accessible behind a feature flag - kubernetes.podspec-fieldref - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-map-type: atomic - resourceFieldRef: - description: This is accessible behind a feature flag - kubernetes.podspec-fieldref - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - type: object - required: - - key - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-map-type: atomic - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is starting. When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - type: array - items: - description: EnvFromSource represents the source of a set of ConfigMaps + x-kubernetes-preserve-unknown-fields: true + spec: + description: RevisionSpec holds the desired state of the Revision (from the client). + type: object + required: + - containers + properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity type: object - properties: - configMapRef: - description: The ConfigMap to select from - type: object - properties: - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - x-kubernetes-map-type: atomic - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - type: object - properties: - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the Secret must be defined - type: boolean - x-kubernetes-map-type: atomic - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: object - properties: - exec: - description: Exec specifies the action to take. + x-kubernetes-preserve-unknown-fields: true + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + type: boolean + containerConcurrency: + description: |- + ContainerConcurrency specifies the maximum allowed in-flight (concurrent) + requests per container of the Revision. Defaults to `0` which means + concurrency to the application is not limited, and the system decides the + target concurrency for the autoscaler. + type: integer + format: int64 + containers: + description: |- + List of containers belonging to the pod. + Containers cannot currently be added or removed. + There must be at least one container in a Pod. + Cannot be updated. + type: array + items: + description: A single application container that you want to run within a pod. type: object properties: - command: + args: description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + Arguments to the entrypoint. + The container image's CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell type: array items: type: string x-kubernetes-list-type: atomic - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - type: integer - format: int32 - grpc: - description: GRPC specifies an action involving a GRPC port. - type: object - required: - - port - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - type: integer - format: int32 - service: + command: description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - - If this is not specified, the default behavior is defined by gRPC. - type: string - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: + Entrypoint array. Not executed within a shell. + The container image's ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + type: array + items: + type: string + x-kubernetes-list-type: atomic + env: description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + List of environment variables to set in the container. + Cannot be updated. type: array items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: EnvVar represents an environment variable present in a Container. type: object required: - name - - value properties: name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. + description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: The header field value + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + type: object + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + type: object + required: + - key + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + type: object + required: + - key + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - type: array - items: - description: ContainerPort represents a network port in a single container. - type: object - required: - - containerPort - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - type: integer - format: int32 - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - default: TCP - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: object - properties: - exec: - description: Exec specifies the action to take. - type: object - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + List of sources to populate environment variables in the container. + The keys defined within a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will take precedence. + Cannot be updated. type: array items: - type: string + description: EnvFromSource represents the source of a set of ConfigMaps + type: object + properties: + configMapRef: + description: The ConfigMap to select from + type: object + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + type: object + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the Secret must be defined + type: boolean + x-kubernetes-map-type: atomic x-kubernetes-list-type: atomic - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - type: integer - format: int32 - grpc: - description: GRPC specifies an action involving a GRPC port. - type: object - required: - - port - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - type: integer - format: int32 - service: + image: + description: |- + Container image name. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + imagePullPolicy: + description: |- + Image pull policy. + One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + livenessProbe: description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + x-kubernetes-list-type: atomic + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. - type: string - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: + If this is not specified, the default behavior is defined by gRPC. + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + name: description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. + Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + ports: + description: |- + List of ports to expose from the container. Not specifying a port here + DOES NOT prevent that port from being exposed. Any port which is + listening on the default "0.0.0.0" address inside a container will be + accessible from the network. + Modifying this array with strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. type: array items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: ContainerPort represents a network port in a single container. type: object required: - - name - - value + - containerPort properties: + containerPort: + description: |- + Number of port to expose on the pod's IP address. + This must be a valid port number, 0 < x < 65536. + type: integer + format: int32 name: description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. + If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + named port in a pod must have a unique name. Name for the port that can be + referred to by services. type: string - value: - description: The header field value + protocol: + description: |- + Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". type: string - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: + default: TCP + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: + Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe fails. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + x-kubernetes-list-type: atomic + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default behavior is defined by gRPC. + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + resources: description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. + Compute Resources required by this container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. - type: array - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - type: object - required: - - name - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - type: object - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - add: - description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: + This field is immutable. It can only be set for containers. + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + requests: + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + securityContext: description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + type: object + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + type: object + properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + x-kubernetes-list-type: atomic + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + type: object + required: + - type + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: object - properties: - exec: - description: Exec specifies the action to take. - type: object - properties: - command: + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + startupProbe: description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - x-kubernetes-list-type: atomic - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - type: integer - format: int32 - grpc: - description: GRPC specifies an action involving a GRPC port. - type: object - required: - - port - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - type: integer - format: int32 - service: - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + StartupProbe indicates that the Pod has successfully initialized. + If specified, no other probes are executed until this completes successfully. + If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. + This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, + when it might take a long time to load data or warm a cache, than during steady-state operation. + This cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + x-kubernetes-list-type: atomic + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. + If this is not specified, the default behavior is defined by gRPC. + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + terminationMessagePath: + description: |- + Optional: Path at which the file to which the container's termination message + will be written is mounted into the container's filesystem. + Message written is intended to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. The total message length across + all containers will be limited to 12kb. + Defaults to /dev/termination-log. + Cannot be updated. type: string - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: + terminationMessagePolicy: description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. + Indicate how the termination message should be populated. File will use the contents of + terminationMessagePath to populate the container status message on both success and failure. + FallbackToLogsOnError will use the last chunk of container log output if the termination + message file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + Defaults to File. + Cannot be updated. type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + volumeMounts: + description: |- + Pod volumes to mount into the container's filesystem. + Cannot be updated. type: array items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: VolumeMount describes a mounting of a Volume within a container. type: object required: + - mountPath - name - - value properties: - name: + mountPath: description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. + Path within the container at which the volume should be mounted. Must + not contain ':'. type: string - value: - description: The header field value + name: + description: This must match the Name of a Volume. type: string - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. + Container's working directory. + If not specified, the container runtime's default will be used, which + might be configured in the container image. + Cannot be updated. type: string - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' + type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + hostIPC: + description: This is accessible behind a feature flag - kubernetes.podspec-hostipc + type: boolean + x-kubernetes-preserve-unknown-fields: true + hostNetwork: + description: This is accessible behind a feature flag - kubernetes.podspec-hostnetwork + type: boolean + x-kubernetes-preserve-unknown-fields: true + hostPID: + description: This is accessible behind a feature flag - kubernetes.podspec-hostpid + type: boolean + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: |- + IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed + to stay open while not receiving any bytes from the user's application. If + unspecified, a system default will be provided. + type: integer + format: int64 + imagePullSecrets: + description: |- + ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual puller implementations for them to use. + More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + type: array + items: description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. type: object properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: + name: description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - type: array - items: - description: VolumeMount describes a mounting of a Volume within a container. + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + x-kubernetes-map-type: atomic + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + initContainers: + description: |- + List of initialization containers belonging to the pod. + Init containers are executed in order prior to containers being started. If any + init container fails, the pod is considered to have failed and is handled according + to its restartPolicy. The name for an init container or normal container must be + unique among all containers. + Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. + The resourceRequirements of an init container are taken into account during scheduling + by finding the highest request/limit for each resource type, and then using the max of + of that value or the sum of the normal containers. Limits are applied to init containers + in a similar fashion. + Init containers cannot currently be added or removed. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector type: object - required: - - mountPath + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: |- + ResponseStartTimeoutSeconds is the maximum duration in seconds that the request + routing layer will wait for a request delivered to a container to begin + sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true + serviceAccountName: + description: |- + ServiceAccountName is the name of the ServiceAccount to use to run this pod. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true + timeoutSeconds: + description: |- + TimeoutSeconds is the maximum duration in seconds that the request instance + is allowed to respond to a request. If unspecified, a system default will + be provided. + type: integer + format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true + volumes: + description: |- + List of volumes that can be mounted by containers belonging to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes + type: array + items: + description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + type: object + required: + - name + properties: + configMap: + description: configMap represents a configMap that should populate this volume + type: object + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true + hostPath: + description: This is accessible behind a feature flag - kubernetes.podspec-hostpath + type: object + x-kubernetes-preserve-unknown-fields: true + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true + projected: + description: projected items for all in one resources secrets, configmaps, and downward API + type: object + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + sources: + description: sources is the list of volume projections + type: array + items: + description: Projection that may be projected along with other supported volume types + type: object + properties: + configMap: + description: configMap information about the configMap data to project + type: object + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI data to project + type: object + properties: + items: + description: Items is a list of DownwardAPIVolume file + type: array + items: + description: DownwardAPIVolumeFile represents information to create the file containing the pod field + type: object + required: + - path + properties: + fieldRef: + description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + type: object + required: + - fieldPath + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + type: object + required: + - resource + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + x-kubernetes-map-type: atomic + x-kubernetes-list-type: atomic + secret: + description: secret information about the secret data to project + type: object + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: optional field specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the serviceAccountToken data to project + type: object + required: + - path + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + type: integer + format: int64 + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + x-kubernetes-list-type: atomic + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: object + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + x-kubernetes-list-map-keys: - name - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - dnsConfig: - description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig - type: object - x-kubernetes-preserve-unknown-fields: true - dnsPolicy: - description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy - type: string - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' - type: boolean - hostAliases: - description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases - type: object - x-kubernetes-preserve-unknown-fields: true - hostIPC: - description: This is accessible behind a feature flag - kubernetes.podspec-hostipc - type: boolean - x-kubernetes-preserve-unknown-fields: true - hostNetwork: - description: This is accessible behind a feature flag - kubernetes.podspec-hostnetwork - type: boolean - x-kubernetes-preserve-unknown-fields: true - hostPID: - description: This is accessible behind a feature flag - kubernetes.podspec-hostpid - type: boolean - x-kubernetes-preserve-unknown-fields: true - idleTimeoutSeconds: - description: |- - IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed - to stay open while not receiving any bytes from the user's application. If - unspecified, a system default will be provided. - type: integer - format: int64 - imagePullSecrets: + x-kubernetes-list-type: map + traffic: description: |- - ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. - If specified, these secrets will be passed to individual puller implementations for them to use. - More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + Traffic specifies how to distribute traffic over a collection of + revisions and configurations. type: array items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: TrafficTarget holds a single entry of the routing table for a Route. type: object properties: - name: + configurationName: description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + ConfigurationName of a configuration to whose latest revision we will send + this portion of traffic. When the "status.latestReadyRevisionName" of the + referenced configuration changes, we will automatically migrate traffic + from the prior "latest ready" revision to the new one. This field is never + set in Route's status, only its spec. This is mutually exclusive with + RevisionName. type: string - default: "" - x-kubernetes-map-type: atomic - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - initContainers: - description: |- - List of initialization containers belonging to the pod. - Init containers are executed in order prior to containers being started. If any - init container fails, the pod is considered to have failed and is handled according - to its restartPolicy. The name for an init container or normal container must be - unique among all containers. - Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. - The resourceRequirements of an init container are taken into account during scheduling - by finding the highest request/limit for each resource type, and then using the max of - of that value or the sum of the normal containers. Limits are applied to init containers - in a similar fashion. - Init containers cannot currently be added or removed. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-init-containers - type: object - x-kubernetes-preserve-unknown-fields: true - nodeSelector: - description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-map-type: atomic - priorityClassName: - description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname - type: string - x-kubernetes-preserve-unknown-fields: true - responseStartTimeoutSeconds: - description: |- - ResponseStartTimeoutSeconds is the maximum duration in seconds that the request - routing layer will wait for a request delivered to a container to begin - sending any network traffic. - type: integer - format: int64 - runtimeClassName: - description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname - type: string - x-kubernetes-preserve-unknown-fields: true - schedulerName: - description: This is accessible behind a feature flag - kubernetes.podspec-schedulername - type: string - x-kubernetes-preserve-unknown-fields: true - securityContext: - description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext - type: object - x-kubernetes-preserve-unknown-fields: true - serviceAccountName: - description: |- - ServiceAccountName is the name of the ServiceAccount to use to run this pod. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - type: string - shareProcessNamespace: - description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace - type: boolean - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: |- - TimeoutSeconds is the maximum duration in seconds that the request instance - is allowed to respond to a request. If unspecified, a system default will - be provided. - type: integer - format: int64 - tolerations: - description: This is accessible behind a feature flag - kubernetes.podspec-tolerations - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-tolerations - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-list-type: atomic - topologySpreadConstraints: - description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints - type: object - x-kubernetes-preserve-unknown-fields: true - volumes: - description: |- - List of volumes that can be mounted by containers belonging to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes - type: array - items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. - type: object - required: - - name - properties: - configMap: - description: configMap represents a configMap that should populate this volume - type: object - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: optional specify whether the ConfigMap or its keys must be defined - type: boolean - x-kubernetes-map-type: atomic - emptyDir: - description: This is accessible behind a feature flag - kubernetes.podspec-emptydir - type: object - x-kubernetes-preserve-unknown-fields: true - name: + latestRevision: + description: |- + LatestRevision may be optionally provided to indicate that the latest + ready Revision of the Configuration should be used for this traffic + target. When provided LatestRevision must be true if RevisionName is + empty; it must be false when RevisionName is non-empty. + type: boolean + percent: + description: |- + Percent indicates that percentage based routing should be used and + the value indicates the percent of traffic that is be routed to this + Revision or Configuration. `0` (zero) mean no traffic, `100` means all + traffic. + When percentage based routing is being used the follow rules apply: + - the sum of all percent values must equal 100 + - when not specified, the implied value for `percent` is zero for + that particular Revision or Configuration + type: integer + format: int64 + revisionName: description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + RevisionName of a specific revision to which to send this portion of + traffic. This is mutually exclusive with ConfigurationName. type: string - persistentVolumeClaim: - description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim - type: object - x-kubernetes-preserve-unknown-fields: true - projected: - description: projected items for all in one resources secrets, configmaps, and downward API - type: object - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - sources: - description: sources is the list of volume projections - type: array - items: - description: Projection that may be projected along with other supported volume types - type: object - properties: - configMap: - description: configMap information about the configMap data to project - type: object - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: optional specify whether the ConfigMap or its keys must be defined - type: boolean - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI data to project - type: object - properties: - items: - description: Items is a list of DownwardAPIVolume file - type: array - items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field - type: object - required: - - path - properties: - fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' - type: object - required: - - fieldPath - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - type: object - required: - - resource - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - x-kubernetes-map-type: atomic - x-kubernetes-list-type: atomic - secret: - description: secret information about the secret data to project - type: object - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: optional field specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about the serviceAccountToken data to project - type: object - required: - - path - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - type: integer - format: int64 - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - x-kubernetes-list-type: atomic - secret: + tag: description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: object - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map + Tag is optionally used to expose a dedicated url for referencing + this target exclusively. + type: string + url: + description: |- + URL displays the URL for accessing named traffic targets. URL is displayed in + status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and + a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + type: string status: - description: RevisionStatus communicates the observed state of the Revision (from the controller). + description: ServiceStatus represents the Status stanza of the Service resource. type: object properties: - actualReplicas: - description: ActualReplicas reflects the amount of ready pods running this revision. - type: integer - format: int32 + address: + description: Address holds the information needed for a Route to be the target of an event. + type: object + properties: + CACerts: + description: |- + CACerts is the Certification Authority (CA) certificates in PEM format + according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + audience: + description: Audience is the OIDC audience for this address. + type: string + name: + description: Name is the name of the address. + type: string + url: + type: string annotations: description: |- Annotations is additional Status fields for the Resource to save some @@ -1544,52 +1657,79 @@ spec: type: description: Type of condition. type: string - containerStatuses: + latestCreatedRevisionName: description: |- - ContainerStatuses is a slice of images present in .Spec.Container[*].Image - to their respective digests and their container name. - The digests are resolved during the creation of Revision. - ContainerStatuses holds the container name and image digests - for both serving and non serving containers. - ref: http://bit.ly/image-digests - type: array - items: - description: ContainerStatus holds the information of container name and image digest value - type: object - properties: - imageDigest: - type: string - name: - type: string - desiredReplicas: - description: DesiredReplicas reflects the desired amount of pods running this revision. + LatestCreatedRevisionName is the last revision that was created from this + Configuration. It might not be ready yet, for that use LatestReadyRevisionName. + type: string + latestReadyRevisionName: + description: |- + LatestReadyRevisionName holds the name of the latest Revision stamped out + from this Configuration that has had its "Ready" condition become "True". + type: string + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the Service that + was last processed by the controller. type: integer - format: int32 - initContainerStatuses: + format: int64 + traffic: description: |- - InitContainerStatuses is a slice of images present in .Spec.InitContainer[*].Image - to their respective digests and their container name. - The digests are resolved during the creation of Revision. - ContainerStatuses holds the container name and image digests - for both serving and non serving containers. - ref: http://bit.ly/image-digests + Traffic holds the configured traffic distribution. + These entries will always contain RevisionName references. + When ConfigurationName appears in the spec, this will hold the + LatestReadyRevisionName that we last observed. type: array items: - description: ContainerStatus holds the information of container name and image digest value + description: TrafficTarget holds a single entry of the routing table for a Route. type: object properties: - imageDigest: + configurationName: + description: |- + ConfigurationName of a configuration to whose latest revision we will send + this portion of traffic. When the "status.latestReadyRevisionName" of the + referenced configuration changes, we will automatically migrate traffic + from the prior "latest ready" revision to the new one. This field is never + set in Route's status, only its spec. This is mutually exclusive with + RevisionName. type: string - name: + latestRevision: + description: |- + LatestRevision may be optionally provided to indicate that the latest + ready Revision of the Configuration should be used for this traffic + target. When provided LatestRevision must be true if RevisionName is + empty; it must be false when RevisionName is non-empty. + type: boolean + percent: + description: |- + Percent indicates that percentage based routing should be used and + the value indicates the percent of traffic that is be routed to this + Revision or Configuration. `0` (zero) mean no traffic, `100` means all + traffic. + When percentage based routing is being used the follow rules apply: + - the sum of all percent values must equal 100 + - when not specified, the implied value for `percent` is zero for + that particular Revision or Configuration + type: integer + format: int64 + revisionName: + description: |- + RevisionName of a specific revision to which to send this portion of + traffic. This is mutually exclusive with ConfigurationName. type: string - logUrl: - description: |- - LogURL specifies the generated logging url for this particular revision - based on the revision url template specified in the controller's config. - type: string - observedGeneration: + tag: + description: |- + Tag is optionally used to expose a dedicated url for referencing + this target exclusively. + type: string + url: + description: |- + URL displays the URL for accessing named traffic targets. URL is displayed in + status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and + a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + type: string + url: description: |- - ObservedGeneration is the 'Generation' of the Service that - was last processed by the controller. - type: integer - format: int64 + URL holds the url that will distribute traffic over the provided traffic targets. + It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} + type: string \ No newline at end of file diff --git a/config/core/300-resources/service.yaml b/config/core/300-resources/service.yaml index bd322152cee9..6f45a63aa361 100644 --- a/config/core/300-resources/service.yaml +++ b/config/core/300-resources/service.yaml @@ -1233,6 +1233,10 @@ spec: description: This is accessible behind a feature flag - kubernetes.podspec-emptydir type: object x-kubernetes-preserve-unknown-fields: true + hostPath: + description: This is accessible behind a feature flag - kubernetes.podspec-hostpath + type: object + x-kubernetes-preserve-unknown-fields: true name: description: |- name of the volume. @@ -1728,4 +1732,4 @@ spec: description: |- URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} - type: string + type: string \ No newline at end of file diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index 55d64127acdd..b01f0ecc790e 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "9ff569ad" + knative.dev/example-checksum: "63a13754" data: _example: |- ################################ @@ -200,6 +200,14 @@ data: # 2. Disabled: disabling EmptyDir volume support kubernetes.podspec-volumes-emptydir: "enabled" + # Controls whether volume support for HostPath is enabled or not. + # WARNING: Cannot safely be disabled once enabled. + # WARNING: If you can avoid using a hostPath volume, you should. + # Please read https://kubernetes.io/docs/concepts/storage/volumes/#hostpath before enabling this feature. + # 1. Enabled: enabling HostPath volume support + # 2. Disabled: disabling HostPath volume support + kubernetes.podspec-volumes-hostpath: "disabled" + # Controls whether init containers support is enabled or not. # 1. Enabled: enabling init containers support # 2. Disabled: disabling init containers support @@ -233,4 +241,4 @@ data: queueproxy.mount-podinfo: "disabled" # Default queue proxy resource requests and limits to good values for most cases if set. - queueproxy.resource-defaults: "disabled" + queueproxy.resource-defaults: "disabled" \ No newline at end of file diff --git a/hack/schemapatch-config.yaml b/hack/schemapatch-config.yaml index 7656efc9eb0b..f24a49d9e22a 100644 --- a/hack/schemapatch-config.yaml +++ b/hack/schemapatch-config.yaml @@ -12,18 +12,25 @@ k8s.io/api/core/v1.VolumeSource: # Following are behind feature flags - EmptyDir - PersistentVolumeClaim + - HostPath k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource: description: "This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.EmptyDirVolumeSource: description: "This is accessible behind a feature flag - kubernetes.podspec-emptydir" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields +k8s.io/api/core/v1.HostPathVolumeSource: + description: "This is accessible behind a feature flag - kubernetes.podspec-hostpath" + additionalMarkers: + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.VolumeProjection: fieldMask: - Secret @@ -79,17 +86,17 @@ k8s.io/api/core/v1.PodSpec: Affinity: description: "This is accessible behind a feature flag - kubernetes.podspec-affinity" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields DNSPolicy: description: "This is accessible behind a feature flag - kubernetes.podspec-dnspolicy" DNSConfig: description: "This is accessible behind a feature flag - kubernetes.podspec-dnsconfig" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields EnableServiceLinks: description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' HostAliases: @@ -99,9 +106,9 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-hostaliases" additionalMarkers: - # # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields Containers: additionalMarkers: - kubebuilder:validation:DropListMapMarkers @@ -111,33 +118,33 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-init-containers" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields NodeSelector: description: "This is accessible behind a feature flag - kubernetes.podspec-nodeselector" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields PriorityClassName: description: "This is accessible behind a feature flag - kubernetes.podspec-priorityclassname" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields RuntimeClassName: description: "This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields SchedulerName: description: "This is accessible behind a feature flag - kubernetes.podspec-schedulername" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields SecurityContext: description: "This is accessible behind a feature flag - kubernetes.podspec-securitycontext" additionalMarkers: @@ -153,9 +160,9 @@ k8s.io/api/core/v1.PodSpec: HostIPC: description: "This is accessible behind a feature flag - kubernetes.podspec-hostipc" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields HostPID: description: "This is accessible behind a feature flag - kubernetes.podspec-hostpid" additionalMarkers: @@ -173,9 +180,9 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-tolerations" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields TopologySpreadConstraints: description: "This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints" additionalMarkers: @@ -183,9 +190,9 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.Container: fieldMask: - Name @@ -208,10 +215,10 @@ k8s.io/api/core/v1.Container: fieldOverrides: Name: additionalMarkers: - - optional + - optional Ports: additionalMarkers: - - optional + - optional k8s.io/api/core/v1.VolumeMount: fieldMask: - Name @@ -252,7 +259,7 @@ k8s.io/api/core/v1.HTTPGetAction: fieldOverrides: Port: additionalMarkers: - - optional + - optional k8s.io/api/core/v1.TCPSocketAction: fieldMask: - Host @@ -260,7 +267,7 @@ k8s.io/api/core/v1.TCPSocketAction: fieldOverrides: Port: additionalMarkers: - - optional + - optional k8s.io/api/core/v1.ContainerPort: fieldMask: - ContainerPort @@ -281,15 +288,15 @@ k8s.io/api/core/v1.EnvVarSource: FieldRef: description: "This is accessible behind a feature flag - kubernetes.podspec-fieldref" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields ResourceFieldRef: description: "This is accessible behind a feature flag - kubernetes.podspec-fieldref" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.LocalObjectReference: fieldMask: - Name @@ -340,4 +347,4 @@ k8s.io/api/core/v1.ObjectReference: fieldMask: - APIVersion - Kind - - Name + - Name \ No newline at end of file diff --git a/pkg/apis/config/features.go b/pkg/apis/config/features.go index 57b0bbe495d2..79f381d451c8 100644 --- a/pkg/apis/config/features.go +++ b/pkg/apis/config/features.go @@ -72,6 +72,7 @@ func defaultFeaturesConfig() *Features { ContainerSpecAddCapabilities: Disabled, PodSpecTolerations: Disabled, PodSpecVolumesEmptyDir: Enabled, + PodSpecVolumesHostPath: Disabled, PodSpecPersistentVolumeClaim: Disabled, PodSpecPersistentVolumeWrite: Disabled, QueueProxyMountPodInfo: Disabled, @@ -107,6 +108,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) { asFlag("kubernetes.containerspec-addcapabilities", &nc.ContainerSpecAddCapabilities), asFlag("kubernetes.podspec-tolerations", &nc.PodSpecTolerations), asFlag("kubernetes.podspec-volumes-emptydir", &nc.PodSpecVolumesEmptyDir), + asFlag("kubernetes.podspec-volumes-hostpath", &nc.PodSpecVolumesHostPath), asFlag("kubernetes.podspec-hostipc", &nc.PodSpecHostIPC), asFlag("kubernetes.podspec-hostpid", &nc.PodSpecHostPID), asFlag("kubernetes.podspec-hostnetwork", &nc.PodSpecHostNetwork), @@ -151,6 +153,7 @@ type Features struct { ContainerSpecAddCapabilities Flag PodSpecTolerations Flag PodSpecVolumesEmptyDir Flag + PodSpecVolumesHostPath Flag PodSpecInitContainers Flag PodSpecPersistentVolumeClaim Flag PodSpecPersistentVolumeWrite Flag diff --git a/pkg/apis/config/features_test.go b/pkg/apis/config/features_test.go index 82696c4f9667..0995c2f56061 100644 --- a/pkg/apis/config/features_test.go +++ b/pkg/apis/config/features_test.go @@ -438,6 +438,24 @@ func TestFeaturesConfiguration(t *testing.T) { data: map[string]string{ "kubernetes.podspec-volumes-emptydir": "Enabled", }, + }, { + name: "kubernetes.podspec-volumes-hostpath Disabled", + wantErr: false, + wantFeatures: defaultWith(&Features{ + PodSpecVolumesHostPath: Disabled, + }), + data: map[string]string{ + "kubernetes.podspec-volumes-hostpath": "Disabled", + }, + }, { + name: "kubernetes.podspec-volumes-hostpath Enabled", + wantErr: false, + wantFeatures: defaultWith(&Features{ + PodSpecVolumesHostPath: Enabled, + }), + data: map[string]string{ + "kubernetes.podspec-volumes-hostpath": "Enabled", + }, }, { name: "kubernetes.podspec-persistent-volume-claim Disabled", wantErr: false, diff --git a/pkg/apis/serving/fieldmask.go b/pkg/apis/serving/fieldmask.go index faff5dba9690..66f31f825c2e 100644 --- a/pkg/apis/serving/fieldmask.go +++ b/pkg/apis/serving/fieldmask.go @@ -66,6 +66,10 @@ func VolumeSourceMask(ctx context.Context, in *corev1.VolumeSource) *corev1.Volu out.PersistentVolumeClaim = in.PersistentVolumeClaim } + if cfg.Features.PodSpecVolumesHostPath != config.Disabled { + out.HostPath = in.HostPath + } + // Too many disallowed fields to list return out diff --git a/pkg/apis/serving/k8s_validation.go b/pkg/apis/serving/k8s_validation.go index 42946b80ef99..56ed7ab8dfed 100644 --- a/pkg/apis/serving/k8s_validation.go +++ b/pkg/apis/serving/k8s_validation.go @@ -21,6 +21,7 @@ import ( "fmt" "math" "path" + "path/filepath" "strings" "github.com/google/go-containerregistry/pkg/name" @@ -161,6 +162,11 @@ func validateVolume(ctx context.Context, volume corev1.Volume) *apis.FieldError specified = append(specified, "persistentVolumeClaim") } + if vs.HostPath != nil { + specified = append(specified, "hostPath") + errs = errs.Also(validateHostPathVolumeSource(vs.HostPath).ViaField("hostPath")) + } + if len(specified) == 0 { fieldPaths := []string{"secret", "configMap", "projected"} cfg := config.FromContextOrDefaults(ctx) @@ -170,6 +176,9 @@ func validateVolume(ctx context.Context, volume corev1.Volume) *apis.FieldError if cfg.Features.PodSpecPersistentVolumeClaim == config.Enabled { fieldPaths = append(fieldPaths, "persistentVolumeClaim") } + if cfg.Features.PodSpecVolumesHostPath == config.Enabled { + fieldPaths = append(fieldPaths, "hostPath") + } errs = errs.Also(apis.ErrMissingOneOf(fieldPaths...)) } else if len(specified) > 1 { errs = errs.Also(apis.ErrMultipleOneOf(specified...)) @@ -286,6 +295,50 @@ func validateEmptyDirFields(dir *corev1.EmptyDirVolumeSource) *apis.FieldError { return errs } +func validateHostPathVolumeSource(hostPath *corev1.HostPathVolumeSource) *apis.FieldError { + var errs *apis.FieldError + if len(hostPath.Path) == 0 { + errs = errs.Also(apis.ErrInvalidValue("''", "path")) + return errs + } + errs = errs.Also(validatePathNoBacksteps(hostPath.Path, "path")) + errs = errs.Also(validateHostPathType(hostPath.Type, "type")) + return errs +} + +// validatePathNoBacksteps makes sure the targetPath does not have any `..` path elements when split +// +// This assumes the OS of the apiserver and the nodes are the same. The same check should be done +// on the node to ensure there are no backsteps. +func validatePathNoBacksteps(targetPath string, fldPath string) *apis.FieldError { + var errs *apis.FieldError + parts := strings.Split(filepath.ToSlash(targetPath), "/") + for _, item := range parts { + if item == ".." { + errs = errs.Also(apis.ErrInvalidValue(targetPath, fldPath, "must not contain '..'")) + break // even for `../../..`, one error is sufficient to make the point + } + } + return errs +} + +func validateHostPathType(hostPathType *corev1.HostPathType, fldPath string) *apis.FieldError { + var errs *apis.FieldError + supportedHostPathTypes := sets.New( + corev1.HostPathUnset, + corev1.HostPathDirectoryOrCreate, + corev1.HostPathDirectory, + corev1.HostPathFileOrCreate, + corev1.HostPathFile, + corev1.HostPathSocket, + corev1.HostPathCharDev, + corev1.HostPathBlockDev) + if hostPathType != nil && !supportedHostPathTypes.Has(*hostPathType) { + errs = errs.Also(apis.ErrInvalidValue(*hostPathType, fldPath, "unknown type")) + } + return errs +} + func validateEnvValueFrom(ctx context.Context, source *corev1.EnvVarSource) *apis.FieldError { if source == nil { return nil diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go index 892e381f8901..2deb34cb2553 100644 --- a/pkg/apis/serving/k8s_validation_test.go +++ b/pkg/apis/serving/k8s_validation_test.go @@ -171,6 +171,13 @@ func withMultiContainerProbesEnabled() configOption { } } +func withPodSpecVolumesHostPathEnabled() configOption { + return func(cfg *config.Config) *config.Config { + cfg.Features.PodSpecVolumesHostPath = config.Enabled + return cfg + } +} + func withPodSpecDNSPolicyEnabled() configOption { return func(cfg *config.Config) *config.Config { cfg.Features.PodSpecDNSPolicy = config.Enabled @@ -2911,6 +2918,49 @@ func TestVolumeValidation(t *testing.T) { Message: `Persistent volume write support is disabled, but found persistent volume claim myclaim that is not read-only`, }).Also( &apis.FieldError{Message: "must not set the field(s)", Paths: []string{"persistentVolumeClaim"}}), + }, { + name: "hostPath volume", + v: corev1.Volume{ + Name: "foo", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "foo/foo", + }, + }, + }, + cfgOpts: []configOption{withPodSpecVolumesHostPathEnabled()}, + }, { + name: "invalid hostPath volume, invalid type", + v: corev1.Volume{ + Name: "foo", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "foo/foo", + Type: (*corev1.HostPathType)(ptr.String("wrong")), + }, + }, + }, + cfgOpts: []configOption{withPodSpecVolumesHostPathEnabled()}, + want: &apis.FieldError{ + Message: `invalid value: wrong`, + Paths: []string{"hostPath.type"}, + Details: "unknown type", + }, + }, { + name: "invalid hostPath volume, empty path", + v: corev1.Volume{ + Name: "foo", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "", + }, + }, + }, + cfgOpts: []configOption{withPodSpecVolumesHostPathEnabled()}, + want: &apis.FieldError{ + Message: `invalid value: ''`, + Paths: []string{"hostPath.path"}, + }, }, { name: "no volume source", v: corev1.Volume{ diff --git a/pkg/reconciler/route/resources/service_test.go b/pkg/reconciler/route/resources/service_test.go index e35af05898f8..829dfe914254 100644 --- a/pkg/reconciler/route/resources/service_test.go +++ b/pkg/reconciler/route/resources/service_test.go @@ -434,6 +434,7 @@ func testConfig() *config.Config { PodSpecNodeSelector: apiConfig.Disabled, PodSpecTolerations: apiConfig.Disabled, PodSpecVolumesEmptyDir: apiConfig.Disabled, + PodSpecVolumesHostPath: apiConfig.Disabled, PodSpecPersistentVolumeClaim: apiConfig.Disabled, PodSpecPersistentVolumeWrite: apiConfig.Disabled, PodSpecInitContainers: apiConfig.Disabled, From 937a1324fa101a4c913387bae58c6fd957cc3d31 Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 9 Dec 2024 21:07:48 +0530 Subject: [PATCH 2/8] 15546: Fix additional Space and eof --- config/core/300-resources/configuration.yaml | 2 +- hack/schemapatch-config.yaml | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/config/core/300-resources/configuration.yaml b/config/core/300-resources/configuration.yaml index a653d65d54ef..18ded96292a7 100644 --- a/config/core/300-resources/configuration.yaml +++ b/config/core/300-resources/configuration.yaml @@ -1582,4 +1582,4 @@ spec: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. type: integer - format: int64 \ No newline at end of file + format: int64 diff --git a/hack/schemapatch-config.yaml b/hack/schemapatch-config.yaml index f24a49d9e22a..37aa3f807ac8 100644 --- a/hack/schemapatch-config.yaml +++ b/hack/schemapatch-config.yaml @@ -16,21 +16,21 @@ k8s.io/api/core/v1.VolumeSource: k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource: description: "This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.EmptyDirVolumeSource: description: "This is accessible behind a feature flag - kubernetes.podspec-emptydir" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.HostPathVolumeSource: description: "This is accessible behind a feature flag - kubernetes.podspec-hostpath" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.VolumeProjection: fieldMask: - Secret From 36b1d84199dd4e3c1903639398d98103fa4ffbba Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 9 Dec 2024 21:16:34 +0530 Subject: [PATCH 3/8] Fix eof --- config/core/300-resources/revision.yaml | 2 +- config/core/300-resources/service.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/core/300-resources/revision.yaml b/config/core/300-resources/revision.yaml index 6f45a63aa361..b4d8b0bf2466 100644 --- a/config/core/300-resources/revision.yaml +++ b/config/core/300-resources/revision.yaml @@ -1732,4 +1732,4 @@ spec: description: |- URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} - type: string \ No newline at end of file + type: string diff --git a/config/core/300-resources/service.yaml b/config/core/300-resources/service.yaml index 6f45a63aa361..b4d8b0bf2466 100644 --- a/config/core/300-resources/service.yaml +++ b/config/core/300-resources/service.yaml @@ -1732,4 +1732,4 @@ spec: description: |- URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} - type: string \ No newline at end of file + type: string From eb10a2ee473e6814ee0ea48c93e429f6a1230df1 Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 9 Dec 2024 21:19:02 +0530 Subject: [PATCH 4/8] update for EOF --- config/core/configmaps/features.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index b01f0ecc790e..51830a89b6d5 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -241,4 +241,4 @@ data: queueproxy.mount-podinfo: "disabled" # Default queue proxy resource requests and limits to good values for most cases if set. - queueproxy.resource-defaults: "disabled" \ No newline at end of file + queueproxy.resource-defaults: "disabled" From 66daefb8d20f8bb9cff73e0abc0a396590e853dd Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 9 Dec 2024 21:46:30 +0530 Subject: [PATCH 5/8] revert mess up --- config/core/300-resources/revision.yaml | 2906 +++++++++++------------ 1 file changed, 1385 insertions(+), 1521 deletions(-) diff --git a/config/core/300-resources/revision.yaml b/config/core/300-resources/revision.yaml index b4d8b0bf2466..e080902dd505 100644 --- a/config/core/300-resources/revision.yaml +++ b/config/core/300-resources/revision.yaml @@ -17,26 +17,23 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: services.serving.knative.dev + name: revisions.serving.knative.dev labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/version: devel knative.dev/crd-install: "true" - duck.knative.dev/addressable: "true" - duck.knative.dev/podspecable: "true" spec: group: serving.knative.dev names: - kind: Service - plural: services - singular: service + kind: Revision + plural: revisions + singular: revision categories: - all - knative - serving shortNames: - - kservice - - ksvc + - rev scope: Namespaced versions: - name: v1 @@ -45,38 +42,33 @@ spec: subresources: status: {} additionalPrinterColumns: - - name: URL + - name: Config Name type: string - jsonPath: .status.url - - name: LatestCreated - type: string - jsonPath: .status.latestCreatedRevisionName - - name: LatestReady - type: string - jsonPath: .status.latestReadyRevisionName + jsonPath: ".metadata.labels['serving\\.knative\\.dev/configuration']" + - name: Generation + type: string # int in string form :( + jsonPath: ".metadata.labels['serving\\.knative\\.dev/configurationGeneration']" - name: Ready type: string jsonPath: ".status.conditions[?(@.type=='Ready')].status" - name: Reason type: string jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + - name: Actual Replicas + type: integer + jsonPath: ".status.actualReplicas" + - name: Desired Replicas + type: integer + jsonPath: ".status.desiredReplicas" schema: openAPIV3Schema: description: |- - Service acts as a top-level container that manages a Route and Configuration - which implement a network service. Service exists to provide a singular - abstraction which can be access controlled, reasoned about, and which - encapsulates software lifecycle decisions such as rollout policy and - team resource ownership. Service acts only as an orchestrator of the - underlying Routes and Configurations (much as a kubernetes Deployment - orchestrates ReplicaSets), and its usage is optional but recommended. - + Revision is an immutable snapshot of code and configuration. A revision + references a container image. Revisions are created by updates to a + Configuration. - The Service's controller will track the statuses of its owned Configuration - and Route, reflecting their statuses and conditions as its own. - - See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#service + See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#revision type: object properties: apiVersion: @@ -97,1522 +89,1421 @@ spec: metadata: type: object spec: - description: |- - ServiceSpec represents the configuration for the Service object. - A Service's specification is the union of the specifications for a Route - and Configuration. The Service restricts what can be expressed in these - fields, e.g. the Route must reference the provided Configuration; - however, these limitations also enable friendlier defaulting, - e.g. Route never needs a Configuration name, and may be defaulted to - the appropriate "run latest" spec. + description: RevisionSpec holds the desired state of the Revision (from the client). type: object + required: + - containers properties: - template: - description: Template holds the latest specification for the Revision to be stamped out. + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity type: object - properties: - metadata: - type: object - properties: - annotations: - type: object - additionalProperties: - type: string - finalizers: - type: array - items: - type: string - labels: - type: object - additionalProperties: - type: string - name: + x-kubernetes-preserve-unknown-fields: true + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + type: boolean + containerConcurrency: + description: |- + ContainerConcurrency specifies the maximum allowed in-flight (concurrent) + requests per container of the Revision. Defaults to `0` which means + concurrency to the application is not limited, and the system decides the + target concurrency for the autoscaler. + type: integer + format: int64 + containers: + description: |- + List of containers belonging to the pod. + Containers cannot currently be added or removed. + There must be at least one container in a Pod. + Cannot be updated. + type: array + items: + description: A single application container that you want to run within a pod. + type: object + properties: + args: + description: |- + Arguments to the entrypoint. + The container image's CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + type: array + items: type: string - namespace: + x-kubernetes-list-type: atomic + command: + description: |- + Entrypoint array. Not executed within a shell. + The container image's ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot be updated. + More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + type: array + items: type: string - x-kubernetes-preserve-unknown-fields: true - spec: - description: RevisionSpec holds the desired state of the Revision (from the client). - type: object - required: - - containers - properties: - affinity: - description: This is accessible behind a feature flag - kubernetes.podspec-affinity + x-kubernetes-list-type: atomic + env: + description: |- + List of environment variables to set in the container. + Cannot be updated. + type: array + items: + description: EnvVar represents an environment variable present in a Container. type: object - x-kubernetes-preserve-unknown-fields: true - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containerConcurrency: - description: |- - ContainerConcurrency specifies the maximum allowed in-flight (concurrent) - requests per container of the Revision. Defaults to `0` which means - concurrency to the application is not limited, and the system decides the - target concurrency for the autoscaler. - type: integer - format: int64 - containers: - description: |- - List of containers belonging to the pod. - Containers cannot currently be added or removed. - There must be at least one container in a Pod. - Cannot be updated. - type: array - items: - description: A single application container that you want to run within a pod. + required: + - name + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + type: object + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + type: object + required: + - key + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + type: object + required: + - key + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + description: |- + List of sources to populate environment variables in the container. + The keys defined within a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will take precedence. + Cannot be updated. + type: array + items: + description: EnvFromSource represents the source of a set of ConfigMaps + type: object + properties: + configMapRef: + description: The ConfigMap to select from + type: object + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + type: object + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: Specify whether the Secret must be defined + type: boolean + x-kubernetes-map-type: atomic + x-kubernetes-list-type: atomic + image: + description: |- + Container image name. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + imagePullPolicy: + description: |- + Image pull policy. + One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + livenessProbe: + description: |- + Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: object + properties: + exec: + description: Exec specifies the action to take. type: object properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - type: array - items: - type: string - x-kubernetes-list-type: atomic command: description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. type: array items: type: string x-kubernetes-list-type: atomic - env: + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default behavior is defined by gRPC. + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: description: |- - List of environment variables to set in the container. - Cannot be updated. + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. type: array items: - description: EnvVar represents an environment variable present in a Container. + description: HTTPHeader describes a custom header to be used in HTTP probes type: object required: - name + - value properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - type: object - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - type: object - required: - - key - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - x-kubernetes-map-type: atomic - fieldRef: - description: This is accessible behind a feature flag - kubernetes.podspec-fieldref - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-map-type: atomic - resourceFieldRef: - description: This is accessible behind a feature flag - kubernetes.podspec-fieldref - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - type: object - required: - - key - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-map-type: atomic - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is starting. When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - type: array - items: - description: EnvFromSource represents the source of a set of ConfigMaps - type: object - properties: - configMapRef: - description: The ConfigMap to select from - type: object - properties: - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - x-kubernetes-map-type: atomic - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + value: + description: The header field value type: string - secretRef: - description: The Secret to select from - type: object - properties: - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: Specify whether the Secret must be defined - type: boolean - x-kubernetes-map-type: atomic x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. + path: + description: Path to access on the HTTP server. type: string - imagePullPolicy: + port: + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - livenessProbe: + port: description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: object - properties: - exec: - description: Exec specifies the action to take. - type: object - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - x-kubernetes-list-type: atomic - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - type: integer - format: int32 - grpc: - description: GRPC specifies an action involving a GRPC port. - type: object - required: - - port - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - type: integer - format: int32 - service: - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + name: + description: |- + Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: |- + List of ports to expose from the container. Not specifying a port here + DOES NOT prevent that port from being exposed. Any port which is + listening on the default "0.0.0.0" address inside a container will be + accessible from the network. + Modifying this array with strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + type: array + items: + description: ContainerPort represents a network port in a single container. + type: object + required: + - containerPort + properties: + containerPort: + description: |- + Number of port to expose on the pod's IP address. + This must be a valid port number, 0 < x < 65536. + type: integer + format: int32 + name: + description: |- + If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + named port in a pod must have a unique name. Name for the port that can be + referred to by services. + type: string + protocol: + description: |- + Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + default: TCP + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: |- + Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe fails. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + x-kubernetes-list-type: atomic + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. - type: string - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. + If this is not specified, the default behavior is defined by gRPC. type: string - ports: + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. type: array items: - description: ContainerPort represents a network port in a single container. + description: HTTPHeader describes a custom header to be used in HTTP probes type: object required: - - containerPort + - name + - value properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - type: integer - format: int32 name: description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string - protocol: - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". + value: + description: The header field value type: string - default: TCP - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: object - properties: - exec: - description: Exec specifies the action to take. - type: object - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - x-kubernetes-list-type: atomic - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - type: integer - format: int32 - grpc: - description: GRPC specifies an action involving a GRPC port. - type: object - required: - - port - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - type: integer - format: int32 - service: - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - - If this is not specified, the default behavior is defined by gRPC. - type: string - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - resources: + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + resources: + description: |- + Compute Resources required by this container. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. - type: array - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - type: object - required: - - name - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: + This field is immutable. It can only be set for containers. + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + requests: + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + type: object + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + type: object + properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + x-kubernetes-list-type: atomic + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + type: object + required: + - type + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - type: object - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - add: - description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: + type indicates which kind of seccomp profile will be applied. + Valid options are: - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - startupProbe: + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + startupProbe: + description: |- + StartupProbe indicates that the Pod has successfully initialized. + If specified, no other probes are executed until this completes successfully. + If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. + This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, + when it might take a long time to load data or warm a cache, than during steady-state operation. + This cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: object - properties: - exec: - description: Exec specifies the action to take. - type: object - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - x-kubernetes-list-type: atomic - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - type: integer - format: int32 - grpc: - description: GRPC specifies an action involving a GRPC port. - type: object - required: - - port - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - type: integer - format: int32 - service: - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + x-kubernetes-list-type: atomic + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. - type: string - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - type: integer - format: int32 - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. + If this is not specified, the default behavior is defined by gRPC. type: string - terminationMessagePolicy: + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. type: string - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. type: array items: - description: VolumeMount describes a mounting of a Volume within a container. + description: HTTPHeader describes a custom header to be used in HTTP probes type: object required: - - mountPath - name + - value properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string name: - description: This must match the Name of a Volume. - type: string - readOnly: description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. + value: + description: The header field value + type: string + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. type: string - dnsConfig: - description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig - type: object - x-kubernetes-preserve-unknown-fields: true - dnsPolicy: - description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy - type: string - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' - type: boolean - hostAliases: - description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases - type: object - x-kubernetes-preserve-unknown-fields: true - hostIPC: - description: This is accessible behind a feature flag - kubernetes.podspec-hostipc - type: boolean - x-kubernetes-preserve-unknown-fields: true - hostNetwork: - description: This is accessible behind a feature flag - kubernetes.podspec-hostnetwork - type: boolean - x-kubernetes-preserve-unknown-fields: true - hostPID: - description: This is accessible behind a feature flag - kubernetes.podspec-hostpid - type: boolean - x-kubernetes-preserve-unknown-fields: true - idleTimeoutSeconds: - description: |- - IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed - to stay open while not receiving any bytes from the user's application. If - unspecified, a system default will be provided. - type: integer - format: int64 - imagePullSecrets: - description: |- - ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. - If specified, these secrets will be passed to individual puller implementations for them to use. - More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod - type: array - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - type: object - properties: - name: + port: + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + Scheme to use for connecting to the host. + Defaults to HTTP. type: string - default: "" - x-kubernetes-map-type: atomic - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - initContainers: - description: |- - List of initialization containers belonging to the pod. - Init containers are executed in order prior to containers being started. If any - init container fails, the pod is considered to have failed and is handled according - to its restartPolicy. The name for an init container or normal container must be - unique among all containers. - Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. - The resourceRequirements of an init container are taken into account during scheduling - by finding the highest request/limit for each resource type, and then using the max of - of that value or the sum of the normal containers. Limits are applied to init containers - in a similar fashion. - Init containers cannot currently be added or removed. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-init-containers - type: object - x-kubernetes-preserve-unknown-fields: true - nodeSelector: - description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-map-type: atomic - priorityClassName: - description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname - type: string - x-kubernetes-preserve-unknown-fields: true - responseStartTimeoutSeconds: - description: |- - ResponseStartTimeoutSeconds is the maximum duration in seconds that the request - routing layer will wait for a request delivered to a container to begin - sending any network traffic. - type: integer - format: int64 - runtimeClassName: - description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname - type: string - x-kubernetes-preserve-unknown-fields: true - schedulerName: - description: This is accessible behind a feature flag - kubernetes.podspec-schedulername - type: string - x-kubernetes-preserve-unknown-fields: true - securityContext: - description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext - type: object - x-kubernetes-preserve-unknown-fields: true - serviceAccountName: - description: |- - ServiceAccountName is the name of the ServiceAccount to use to run this pod. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - type: string - shareProcessNamespace: - description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace - type: boolean - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: |- - TimeoutSeconds is the maximum duration in seconds that the request instance - is allowed to respond to a request. If unspecified, a system default will - be provided. - type: integer - format: int64 - tolerations: - description: This is accessible behind a feature flag - kubernetes.podspec-tolerations - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-tolerations - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-list-type: atomic - topologySpreadConstraints: - description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints - type: array - items: - description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints - type: object - x-kubernetes-preserve-unknown-fields: true - volumes: - description: |- - List of volumes that can be mounted by containers belonging to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes - type: array - items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. type: object - required: - - name properties: - configMap: - description: configMap represents a configMap that should populate this volume - type: object - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: optional specify whether the ConfigMap or its keys must be defined - type: boolean - x-kubernetes-map-type: atomic - emptyDir: - description: This is accessible behind a feature flag - kubernetes.podspec-emptydir - type: object - x-kubernetes-preserve-unknown-fields: true - hostPath: - description: This is accessible behind a feature flag - kubernetes.podspec-hostpath - type: object - x-kubernetes-preserve-unknown-fields: true - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' type: string - persistentVolumeClaim: - description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim - type: object - x-kubernetes-preserve-unknown-fields: true - projected: - description: projected items for all in one resources secrets, configmaps, and downward API - type: object - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - sources: - description: sources is the list of volume projections - type: array - items: - description: Projection that may be projected along with other supported volume types - type: object - properties: - configMap: - description: configMap information about the configMap data to project - type: object - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: optional specify whether the ConfigMap or its keys must be defined - type: boolean - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI data to project - type: object - properties: - items: - description: Items is a list of DownwardAPIVolume file - type: array - items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field - type: object - required: - - path - properties: - fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' - type: object - required: - - fieldPath - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - type: object - required: - - resource - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - x-kubernetes-map-type: atomic - x-kubernetes-list-type: atomic - secret: - description: secret information about the secret data to project - type: object - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - default: "" - optional: - description: optional field specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about the serviceAccountToken data to project - type: object - required: - - path - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - type: integer - format: int64 - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - x-kubernetes-list-type: atomic - secret: + port: description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: object - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - x-kubernetes-list-map-keys: + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + type: integer + format: int32 + terminationMessagePath: + description: |- + Optional: Path at which the file to which the container's termination message + will be written is mounted into the container's filesystem. + Message written is intended to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. The total message length across + all containers will be limited to 12kb. + Defaults to /dev/termination-log. + Cannot be updated. + type: string + terminationMessagePolicy: + description: |- + Indicate how the termination message should be populated. File will use the contents of + terminationMessagePath to populate the container status message on both success and failure. + FallbackToLogsOnError will use the last chunk of container log output if the termination + message file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + Defaults to File. + Cannot be updated. + type: string + volumeMounts: + description: |- + Pod volumes to mount into the container's filesystem. + Cannot be updated. + type: array + items: + description: VolumeMount describes a mounting of a Volume within a container. + type: object + required: + - mountPath - name - x-kubernetes-list-type: map - traffic: + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + description: |- + Container's working directory. + If not specified, the container runtime's default will be used, which + might be configured in the container image. + Cannot be updated. + type: string + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' + type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + hostIPC: + description: This is accessible behind a feature flag - kubernetes.podspec-hostipc + type: boolean + x-kubernetes-preserve-unknown-fields: true + hostNetwork: + description: This is accessible behind a feature flag - kubernetes.podspec-hostnetwork + type: boolean + x-kubernetes-preserve-unknown-fields: true + hostPID: + description: This is accessible behind a feature flag - kubernetes.podspec-hostpid + type: boolean + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: |- + IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed + to stay open while not receiving any bytes from the user's application. If + unspecified, a system default will be provided. + type: integer + format: int64 + imagePullSecrets: description: |- - Traffic specifies how to distribute traffic over a collection of - revisions and configurations. + ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual puller implementations for them to use. + More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod type: array items: - description: TrafficTarget holds a single entry of the routing table for a Route. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. type: object properties: - configurationName: - description: |- - ConfigurationName of a configuration to whose latest revision we will send - this portion of traffic. When the "status.latestReadyRevisionName" of the - referenced configuration changes, we will automatically migrate traffic - from the prior "latest ready" revision to the new one. This field is never - set in Route's status, only its spec. This is mutually exclusive with - RevisionName. - type: string - latestRevision: + name: description: |- - LatestRevision may be optionally provided to indicate that the latest - ready Revision of the Configuration should be used for this traffic - target. When provided LatestRevision must be true if RevisionName is - empty; it must be false when RevisionName is non-empty. - type: boolean - percent: - description: |- - Percent indicates that percentage based routing should be used and - the value indicates the percent of traffic that is be routed to this - Revision or Configuration. `0` (zero) mean no traffic, `100` means all - traffic. - When percentage based routing is being used the follow rules apply: - - the sum of all percent values must equal 100 - - when not specified, the implied value for `percent` is zero for - that particular Revision or Configuration - type: integer - format: int64 - revisionName: - description: |- - RevisionName of a specific revision to which to send this portion of - traffic. This is mutually exclusive with ConfigurationName. + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string - tag: + default: "" + x-kubernetes-map-type: atomic + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + initContainers: + description: |- + List of initialization containers belonging to the pod. + Init containers are executed in order prior to containers being started. If any + init container fails, the pod is considered to have failed and is handled according + to its restartPolicy. The name for an init container or normal container must be + unique among all containers. + Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. + The resourceRequirements of an init container are taken into account during scheduling + by finding the highest request/limit for each resource type, and then using the max of + of that value or the sum of the normal containers. Limits are applied to init containers + in a similar fashion. + Init containers cannot currently be added or removed. + Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: |- + ResponseStartTimeoutSeconds is the maximum duration in seconds that the request + routing layer will wait for a request delivered to a container to begin + sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true + serviceAccountName: + description: |- + ServiceAccountName is the name of the ServiceAccount to use to run this pod. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true + timeoutSeconds: + description: |- + TimeoutSeconds is the maximum duration in seconds that the request instance + is allowed to respond to a request. If unspecified, a system default will + be provided. + type: integer + format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true + volumes: + description: |- + List of volumes that can be mounted by containers belonging to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes + type: array + items: + description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + type: object + required: + - name + properties: + configMap: + description: configMap represents a configMap that should populate this volume + type: object + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true + hostPath: + description: This is accessible behind a feature flag - kubernetes.podspec-hostpath + type: object + x-kubernetes-preserve-unknown-fields: true + name: description: |- - Tag is optionally used to expose a dedicated url for referencing - this target exclusively. + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - url: + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true + projected: + description: projected items for all in one resources secrets, configmaps, and downward API + type: object + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + sources: + description: sources is the list of volume projections + type: array + items: + description: Projection that may be projected along with other supported volume types + type: object + properties: + configMap: + description: configMap information about the configMap data to project + type: object + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI data to project + type: object + properties: + items: + description: Items is a list of DownwardAPIVolume file + type: array + items: + description: DownwardAPIVolumeFile represents information to create the file containing the pod field + type: object + required: + - path + properties: + fieldRef: + description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + type: object + required: + - fieldPath + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + type: object + required: + - resource + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + x-kubernetes-map-type: atomic + x-kubernetes-list-type: atomic + secret: + description: secret information about the secret data to project + type: object + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + optional: + description: optional field specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the serviceAccountToken data to project + type: object + required: + - path + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + type: integer + format: int64 + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + x-kubernetes-list-type: atomic + secret: description: |- - URL displays the URL for accessing named traffic targets. URL is displayed in - status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and - a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) - type: string + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: object + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map status: - description: ServiceStatus represents the Status stanza of the Service resource. + description: RevisionStatus communicates the observed state of the Revision (from the controller). type: object properties: - address: - description: Address holds the information needed for a Route to be the target of an event. - type: object - properties: - CACerts: - description: |- - CACerts is the Certification Authority (CA) certificates in PEM format - according to https://www.rfc-editor.org/rfc/rfc7468. - type: string - audience: - description: Audience is the OIDC audience for this address. - type: string - name: - description: Name is the name of the address. - type: string - url: - type: string + actualReplicas: + description: ActualReplicas reflects the amount of ready pods running this revision. + type: integer + format: int32 annotations: description: |- Annotations is additional Status fields for the Resource to save some @@ -1657,79 +1548,52 @@ spec: type: description: Type of condition. type: string - latestCreatedRevisionName: - description: |- - LatestCreatedRevisionName is the last revision that was created from this - Configuration. It might not be ready yet, for that use LatestReadyRevisionName. - type: string - latestReadyRevisionName: - description: |- - LatestReadyRevisionName holds the name of the latest Revision stamped out - from this Configuration that has had its "Ready" condition become "True". - type: string - observedGeneration: - description: |- - ObservedGeneration is the 'Generation' of the Service that - was last processed by the controller. - type: integer - format: int64 - traffic: + containerStatuses: description: |- - Traffic holds the configured traffic distribution. - These entries will always contain RevisionName references. - When ConfigurationName appears in the spec, this will hold the - LatestReadyRevisionName that we last observed. + ContainerStatuses is a slice of images present in .Spec.Container[*].Image + to their respective digests and their container name. + The digests are resolved during the creation of Revision. + ContainerStatuses holds the container name and image digests + for both serving and non serving containers. + ref: http://bit.ly/image-digests type: array items: - description: TrafficTarget holds a single entry of the routing table for a Route. + description: ContainerStatus holds the information of container name and image digest value type: object properties: - configurationName: - description: |- - ConfigurationName of a configuration to whose latest revision we will send - this portion of traffic. When the "status.latestReadyRevisionName" of the - referenced configuration changes, we will automatically migrate traffic - from the prior "latest ready" revision to the new one. This field is never - set in Route's status, only its spec. This is mutually exclusive with - RevisionName. + imageDigest: type: string - latestRevision: - description: |- - LatestRevision may be optionally provided to indicate that the latest - ready Revision of the Configuration should be used for this traffic - target. When provided LatestRevision must be true if RevisionName is - empty; it must be false when RevisionName is non-empty. - type: boolean - percent: - description: |- - Percent indicates that percentage based routing should be used and - the value indicates the percent of traffic that is be routed to this - Revision or Configuration. `0` (zero) mean no traffic, `100` means all - traffic. - When percentage based routing is being used the follow rules apply: - - the sum of all percent values must equal 100 - - when not specified, the implied value for `percent` is zero for - that particular Revision or Configuration - type: integer - format: int64 - revisionName: - description: |- - RevisionName of a specific revision to which to send this portion of - traffic. This is mutually exclusive with ConfigurationName. + name: type: string - tag: - description: |- - Tag is optionally used to expose a dedicated url for referencing - this target exclusively. + desiredReplicas: + description: DesiredReplicas reflects the desired amount of pods running this revision. + type: integer + format: int32 + initContainerStatuses: + description: |- + InitContainerStatuses is a slice of images present in .Spec.InitContainer[*].Image + to their respective digests and their container name. + The digests are resolved during the creation of Revision. + ContainerStatuses holds the container name and image digests + for both serving and non serving containers. + ref: http://bit.ly/image-digests + type: array + items: + description: ContainerStatus holds the information of container name and image digest value + type: object + properties: + imageDigest: type: string - url: - description: |- - URL displays the URL for accessing named traffic targets. URL is displayed in - status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and - a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + name: type: string - url: + logUrl: description: |- - URL holds the url that will distribute traffic over the provided traffic targets. - It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} + LogURL specifies the generated logging url for this particular revision + based on the revision url template specified in the controller's config. type: string + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the Service that + was last processed by the controller. + type: integer + format: int64 From 7fc88845c24577ada107fbf40a793e811238c4d5 Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 9 Dec 2024 21:51:09 +0530 Subject: [PATCH 6/8] remove white spaces --- hack/schemapatch-config.yaml | 88 ++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/hack/schemapatch-config.yaml b/hack/schemapatch-config.yaml index 37aa3f807ac8..6aebd6dabfe0 100644 --- a/hack/schemapatch-config.yaml +++ b/hack/schemapatch-config.yaml @@ -86,17 +86,17 @@ k8s.io/api/core/v1.PodSpec: Affinity: description: "This is accessible behind a feature flag - kubernetes.podspec-affinity" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields DNSPolicy: description: "This is accessible behind a feature flag - kubernetes.podspec-dnspolicy" DNSConfig: description: "This is accessible behind a feature flag - kubernetes.podspec-dnsconfig" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields EnableServiceLinks: description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' HostAliases: @@ -106,9 +106,9 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-hostaliases" additionalMarkers: - # # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields Containers: additionalMarkers: - kubebuilder:validation:DropListMapMarkers @@ -118,33 +118,33 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-init-containers" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields - NodeSelector: - description: "This is accessible behind a feature flag - kubernetes.podspec-nodeselector" - additionalMarkers: # Part of a feature flag - so we want to omit the schema and preserve unknown fields - kubebuilder:validation:DropProperties - kubebuilder:pruning:PreserveUnknownFields + NodeSelector: + description: "This is accessible behind a feature flag - kubernetes.podspec-nodeselector" + additionalMarkers: + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields PriorityClassName: description: "This is accessible behind a feature flag - kubernetes.podspec-priorityclassname" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields RuntimeClassName: description: "This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields SchedulerName: description: "This is accessible behind a feature flag - kubernetes.podspec-schedulername" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields SecurityContext: description: "This is accessible behind a feature flag - kubernetes.podspec-securitycontext" additionalMarkers: @@ -160,9 +160,9 @@ k8s.io/api/core/v1.PodSpec: HostIPC: description: "This is accessible behind a feature flag - kubernetes.podspec-hostipc" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields HostPID: description: "This is accessible behind a feature flag - kubernetes.podspec-hostpid" additionalMarkers: @@ -180,9 +180,9 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-tolerations" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields TopologySpreadConstraints: description: "This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints" additionalMarkers: @@ -190,9 +190,9 @@ k8s.io/api/core/v1.PodSpec: itemOverride: description: "This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.Container: fieldMask: - Name @@ -215,10 +215,10 @@ k8s.io/api/core/v1.Container: fieldOverrides: Name: additionalMarkers: - - optional + - optional Ports: additionalMarkers: - - optional + - optional k8s.io/api/core/v1.VolumeMount: fieldMask: - Name @@ -259,7 +259,7 @@ k8s.io/api/core/v1.HTTPGetAction: fieldOverrides: Port: additionalMarkers: - - optional + - optional k8s.io/api/core/v1.TCPSocketAction: fieldMask: - Host @@ -267,7 +267,7 @@ k8s.io/api/core/v1.TCPSocketAction: fieldOverrides: Port: additionalMarkers: - - optional + - optional k8s.io/api/core/v1.ContainerPort: fieldMask: - ContainerPort @@ -288,15 +288,15 @@ k8s.io/api/core/v1.EnvVarSource: FieldRef: description: "This is accessible behind a feature flag - kubernetes.podspec-fieldref" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields ResourceFieldRef: description: "This is accessible behind a feature flag - kubernetes.podspec-fieldref" additionalMarkers: - # Part of a feature flag - so we want to omit the schema and preserve unknown fields - - kubebuilder:validation:DropProperties - - kubebuilder:pruning:PreserveUnknownFields + # Part of a feature flag - so we want to omit the schema and preserve unknown fields + - kubebuilder:validation:DropProperties + - kubebuilder:pruning:PreserveUnknownFields k8s.io/api/core/v1.LocalObjectReference: fieldMask: - Name @@ -347,4 +347,4 @@ k8s.io/api/core/v1.ObjectReference: fieldMask: - APIVersion - Kind - - Name \ No newline at end of file + - Name From 5cd7605751bbc920434918cc859b7ba0ff1a1802 Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Tue, 10 Dec 2024 23:56:33 +0530 Subject: [PATCH 7/8] added Comment --- pkg/apis/serving/k8s_validation.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/apis/serving/k8s_validation.go b/pkg/apis/serving/k8s_validation.go index 56ed7ab8dfed..a11caf443ba1 100644 --- a/pkg/apis/serving/k8s_validation.go +++ b/pkg/apis/serving/k8s_validation.go @@ -297,6 +297,8 @@ func validateEmptyDirFields(dir *corev1.EmptyDirVolumeSource) *apis.FieldError { func validateHostPathVolumeSource(hostPath *corev1.HostPathVolumeSource) *apis.FieldError { var errs *apis.FieldError + // This is checked at the K8s side for host Path so better validate early + // ref: https://bit.ly/4gcWAVK if len(hostPath.Path) == 0 { errs = errs.Also(apis.ErrInvalidValue("''", "path")) return errs From 01bb99ff603618a8f51a5dd53067f4de82d8e303 Mon Sep 17 00:00:00 2001 From: Amarendra Kumar Date: Mon, 6 Jan 2025 22:43:05 +0530 Subject: [PATCH 8/8] remove extra validations as its there in K8 --- pkg/apis/serving/k8s_validation.go | 55 ------------------------- pkg/apis/serving/k8s_validation_test.go | 50 ---------------------- 2 files changed, 105 deletions(-) diff --git a/pkg/apis/serving/k8s_validation.go b/pkg/apis/serving/k8s_validation.go index a11caf443ba1..42946b80ef99 100644 --- a/pkg/apis/serving/k8s_validation.go +++ b/pkg/apis/serving/k8s_validation.go @@ -21,7 +21,6 @@ import ( "fmt" "math" "path" - "path/filepath" "strings" "github.com/google/go-containerregistry/pkg/name" @@ -162,11 +161,6 @@ func validateVolume(ctx context.Context, volume corev1.Volume) *apis.FieldError specified = append(specified, "persistentVolumeClaim") } - if vs.HostPath != nil { - specified = append(specified, "hostPath") - errs = errs.Also(validateHostPathVolumeSource(vs.HostPath).ViaField("hostPath")) - } - if len(specified) == 0 { fieldPaths := []string{"secret", "configMap", "projected"} cfg := config.FromContextOrDefaults(ctx) @@ -176,9 +170,6 @@ func validateVolume(ctx context.Context, volume corev1.Volume) *apis.FieldError if cfg.Features.PodSpecPersistentVolumeClaim == config.Enabled { fieldPaths = append(fieldPaths, "persistentVolumeClaim") } - if cfg.Features.PodSpecVolumesHostPath == config.Enabled { - fieldPaths = append(fieldPaths, "hostPath") - } errs = errs.Also(apis.ErrMissingOneOf(fieldPaths...)) } else if len(specified) > 1 { errs = errs.Also(apis.ErrMultipleOneOf(specified...)) @@ -295,52 +286,6 @@ func validateEmptyDirFields(dir *corev1.EmptyDirVolumeSource) *apis.FieldError { return errs } -func validateHostPathVolumeSource(hostPath *corev1.HostPathVolumeSource) *apis.FieldError { - var errs *apis.FieldError - // This is checked at the K8s side for host Path so better validate early - // ref: https://bit.ly/4gcWAVK - if len(hostPath.Path) == 0 { - errs = errs.Also(apis.ErrInvalidValue("''", "path")) - return errs - } - errs = errs.Also(validatePathNoBacksteps(hostPath.Path, "path")) - errs = errs.Also(validateHostPathType(hostPath.Type, "type")) - return errs -} - -// validatePathNoBacksteps makes sure the targetPath does not have any `..` path elements when split -// -// This assumes the OS of the apiserver and the nodes are the same. The same check should be done -// on the node to ensure there are no backsteps. -func validatePathNoBacksteps(targetPath string, fldPath string) *apis.FieldError { - var errs *apis.FieldError - parts := strings.Split(filepath.ToSlash(targetPath), "/") - for _, item := range parts { - if item == ".." { - errs = errs.Also(apis.ErrInvalidValue(targetPath, fldPath, "must not contain '..'")) - break // even for `../../..`, one error is sufficient to make the point - } - } - return errs -} - -func validateHostPathType(hostPathType *corev1.HostPathType, fldPath string) *apis.FieldError { - var errs *apis.FieldError - supportedHostPathTypes := sets.New( - corev1.HostPathUnset, - corev1.HostPathDirectoryOrCreate, - corev1.HostPathDirectory, - corev1.HostPathFileOrCreate, - corev1.HostPathFile, - corev1.HostPathSocket, - corev1.HostPathCharDev, - corev1.HostPathBlockDev) - if hostPathType != nil && !supportedHostPathTypes.Has(*hostPathType) { - errs = errs.Also(apis.ErrInvalidValue(*hostPathType, fldPath, "unknown type")) - } - return errs -} - func validateEnvValueFrom(ctx context.Context, source *corev1.EnvVarSource) *apis.FieldError { if source == nil { return nil diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go index 2deb34cb2553..892e381f8901 100644 --- a/pkg/apis/serving/k8s_validation_test.go +++ b/pkg/apis/serving/k8s_validation_test.go @@ -171,13 +171,6 @@ func withMultiContainerProbesEnabled() configOption { } } -func withPodSpecVolumesHostPathEnabled() configOption { - return func(cfg *config.Config) *config.Config { - cfg.Features.PodSpecVolumesHostPath = config.Enabled - return cfg - } -} - func withPodSpecDNSPolicyEnabled() configOption { return func(cfg *config.Config) *config.Config { cfg.Features.PodSpecDNSPolicy = config.Enabled @@ -2918,49 +2911,6 @@ func TestVolumeValidation(t *testing.T) { Message: `Persistent volume write support is disabled, but found persistent volume claim myclaim that is not read-only`, }).Also( &apis.FieldError{Message: "must not set the field(s)", Paths: []string{"persistentVolumeClaim"}}), - }, { - name: "hostPath volume", - v: corev1.Volume{ - Name: "foo", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "foo/foo", - }, - }, - }, - cfgOpts: []configOption{withPodSpecVolumesHostPathEnabled()}, - }, { - name: "invalid hostPath volume, invalid type", - v: corev1.Volume{ - Name: "foo", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "foo/foo", - Type: (*corev1.HostPathType)(ptr.String("wrong")), - }, - }, - }, - cfgOpts: []configOption{withPodSpecVolumesHostPathEnabled()}, - want: &apis.FieldError{ - Message: `invalid value: wrong`, - Paths: []string{"hostPath.type"}, - Details: "unknown type", - }, - }, { - name: "invalid hostPath volume, empty path", - v: corev1.Volume{ - Name: "foo", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "", - }, - }, - }, - cfgOpts: []configOption{withPodSpecVolumesHostPathEnabled()}, - want: &apis.FieldError{ - Message: `invalid value: ''`, - Paths: []string{"hostPath.path"}, - }, }, { name: "no volume source", v: corev1.Volume{