easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1552 from PhilipGough/release-0.10-prep

Browse Source 
Prep for release-0.10
This commit is contained in:
Philip Gough
2021-12-17 12:24:39 +00:00
committed by GitHub
parent 3652ff073e c6dc6c7d1e
commit 4d6f45c5f0
7 changed files with 862 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
CHANGELOG.md
View File

@@ -1,3 +1,30 @@
## release-0.10 / 2021-12-17
* [CHANGE] Adjust node filesystem space filling up warning threshold to 20% [#1357](https://github.com/prometheus-operator/kube-prometheus/pull/1357)
* [CHANGE] Always generate grafana-config secret [#1373](https://github.com/prometheus-operator/kube-prometheus/pull/1373)
* [CHANGE] Make filesystem ignored mount points configurable for node-exporter [#1376](https://github.com/prometheus-operator/kube-prometheus/pull/1376)
* [CHANGE] Drop some high cardinality cAdvisor metrics [#1406](https://github.com/prometheus-operator/kube-prometheus/pull/1406), [#1396](https://github.com/prometheus-operator/kube-prometheus/pull/1396)
* [CHANGE] Use `--collector.filesystem.mount-points-exclude` instead of deprecated `--collector.filesystem.ignored-mount-points` argument for `node-exporter` [#1407](https://github.com/prometheus-operator/kube-prometheus/pull/1407)
* [CHANGE] Drop some of prometheus-adapter metrics that are inherited from the apiserver code but aren't useful in the context of prometheus-adapter [#1409](https://github.com/prometheus-operator/kube-prometheus/pull/1409)
* [CHANGE] Remove "app" label selector deprecated by Prometheus-operator [#1420](https://github.com/prometheus-operator/kube-prometheus/pull/1420)
* [CHANGE] Use recommended instance label for Prometheus/Alertmanager resources [#1520](https://github.com/prometheus-operator/kube-prometheus/pull/1520)
* [CHANGE] Drop deprecated apiserver_longrunning_gauge and apiserver_registered_watchers metrics [#1553](https://github.com/prometheus-operator/kube-prometheus/pull/1553)
* [CHANGE] Drop deprecated coredns_cache_misses_total [#1553](https://github.com/prometheus-operator/kube-prometheus/pull/1553)
* [ENHANCEMENT] Add support for LDAP authentication in Grafana [#1455](https://github.com/prometheus-operator/kube-prometheus/pull/1445)
* [ENHANCEMENT] Include rewritten kubernetes-grafana for easier usage of new library features [#1450](https://github.com/prometheus-operator/kube-prometheus/pull/1450)
* [ENHANCEMENT] Specify default container in node-exporter pod [#1462](https://github.com/prometheus-operator/kube-prometheus/pull/1462)
* [ENHANCEMENT] Make metadata consistent across objects in the same component [#1471](https://github.com/prometheus-operator/kube-prometheus/pull/1471)
* [ENHANCEMENT] Establish convention for default field types [#1475](https://github.com/prometheus-operator/kube-prometheus/pull/1475)
* [ENHANCEMENT] Exclude k3s containerd mountpoints [#1497](https://github.com/prometheus-operator/kube-prometheus/pull/1497)
* [ENHANCEMENT] Alertmanager now uses the new `matcher` syntax in the routing tree and inhibition rules [#1508](https://github.com/prometheus-operator/kube-prometheus/pull/1508)
* [ENHANCEMENT] Deprecate `thanosSelector` and expose `mixin._config.thanos` config variable for thanos sidecar [#1543](https://github.com/prometheus-operator/kube-prometheus/pull/1543)
* [FEATURE] Support scraping config-reloader sidecar for Prometheus and AlertManager StatefulSets [#1344](https://github.com/prometheus-operator/kube-prometheus/pull/1344)
* [FEATURE] Expose prometheus alerting configuration in $.values.prometheus configuration [#1476](https://github.com/prometheus-operator/kube-prometheus/pull/1476)
* [BUGFIX] Remove deprecated policy/v1beta1 Kubernetes API [#1433](https://github.com/prometheus-operator/kube-prometheus/pull/1433)
* [BUGFIX] Fix prometheus URL in prometheus-adapter [#1463](https://github.com/prometheus-operator/kube-prometheus/pull/1463)
* [BUGFIX] Always use proper values scope for namespace in addons [#1518](https://github.com/prometheus-operator/kube-prometheus/pull/1518)
* [BUGFIX] Fix default empty groups for k8s PrometheusRule [#1534](https://github.com/prometheus-operator/kube-prometheus/pull/1534)
## release-0.9 / 2021-08-19 ## release-0.9 / 2021-08-19
* [CHANGE] Test against Kubernetes 1.21 and 1,22. #1161 #1337 * [CHANGE] Test against Kubernetes 1.21 and 1,22. #1161 #1337

14
README.md
View File

@@ -91,13 +91,13 @@ $ minikube addons disable metrics-server
The following versions are supported and work as we test against these versions in their respective branches. But note that other versions might work! The following versions are supported and work as we test against these versions in their respective branches. But note that other versions might work!
| kube-prometheus stack | Kubernetes 1.18 | Kubernetes 1.19 | Kubernetes 1.20 | Kubernetes 1.21 | Kubernetes 1.22 | Kubernetes 1.23 | | kube-prometheus stack | Kubernetes 1.19 | Kubernetes 1.20 | Kubernetes 1.21 | Kubernetes 1.22 | Kubernetes 1.23 |
|------------------------------------------------------------------------------------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------| |--------------------------------------------------------------------------------------------|-----------------|-----------------|-----------------|-----------------|-----------------|
| [`release-0.6`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.6) | ✗ | ✔ | | ✗ | ✗ | ✗ | | [`release-0.7`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.7) | ✔ | | ✗ | ✗ | ✗ |
| [`release-0.7`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.7) | ✗ | ✔ | ✔ | ✗ | ✗ | ✗ | | [`release-0.8`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.8) | ✗ | ✔ | ✔ | ✗ | ✗ |
| [`release-0.8`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.8) | ✗ | ✗ | ✔ | ✔ | ✗ | ✗ | | [`release-0.9`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.9) | ✗ | ✗ | ✔ | ✔ | ✗ |
| [`release-0.9`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.9) | ✗ | ✗ | ✗ | ✔ | ✔ | ✗ | | [`release-0.10`](https://github.com/prometheus-operator/kube-prometheus/tree/release-0.10) | ✗ | ✗ | ✗ | ✔ | ✔ |
| [`main`](https://github.com/prometheus-operator/kube-prometheus/tree/main) | ✗ | ✗ | ✗ | ✗ | ✔ | ✔ | | [`main`](https://github.com/prometheus-operator/kube-prometheus/tree/main) | ✗ | ✗ | ✗ | ✔ | ✔ |
## Quickstart ## Quickstart

22
jsonnet/kube-prometheus/jsonnetfile.json
View File

@@ -8,7 +8,7 @@
"subdir": "grafana" "subdir": "grafana"
} }
}, },
"version": "master" "version": "199e363523104ff8b3a12483a4e3eca86372b078"
}, },
{ {
"source": { "source": {
@@ -17,7 +17,7 @@
"subdir": "contrib/mixin" "subdir": "contrib/mixin"
} }
}, },
"version": "main" "version": "release-3.5"
}, },
{ {
"source": { "source": {
@@ -26,7 +26,7 @@
"subdir": "jsonnet/prometheus-operator" "subdir": "jsonnet/prometheus-operator"
} }
}, },
"version": "main" "version": "release-0.53"
}, },
{ {
"source": { "source": {
@@ -35,7 +35,7 @@
"subdir": "jsonnet/mixin" "subdir": "jsonnet/mixin"
} }
}, },
"version": "main", "version": "release-0.53",
"name": "prometheus-operator-mixin" "name": "prometheus-operator-mixin"
}, },
{ {
@@ -45,7 +45,7 @@
"subdir": "" "subdir": ""
} }
}, },
"version": "master" "version": "release-0.10"
}, },
{ {
"source": { "source": {
@@ -54,7 +54,7 @@
"subdir": "jsonnet/kube-state-metrics" "subdir": "jsonnet/kube-state-metrics"
} }
}, },
"version": "master" "version": "release-2.3"
}, },
{ {
"source": { "source": {
@@ -63,7 +63,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin" "subdir": "jsonnet/kube-state-metrics-mixin"
} }
}, },
"version": "master" "version": "release-2.3"
}, },
{ {
"source": { "source": {
@@ -72,7 +72,7 @@
"subdir": "docs/node-mixin" "subdir": "docs/node-mixin"
} }
}, },
"version": "master" "version": "release-1.3"
}, },
{ {
"source": { "source": {
@@ -81,7 +81,7 @@
"subdir": "documentation/prometheus-mixin" "subdir": "documentation/prometheus-mixin"
} }
}, },
"version": "main", "version": "release-2.32",
"name": "prometheus" "name": "prometheus"
}, },
{ {
@@ -91,7 +91,7 @@
"subdir": "doc/alertmanager-mixin" "subdir": "doc/alertmanager-mixin"
} }
}, },
"version": "main", "version": "release-0.23",
"name": "alertmanager" "name": "alertmanager"
}, },
{ {
@@ -101,7 +101,7 @@
"subdir": "mixin" "subdir": "mixin"
} }
}, },
"version": "main", "version": "release-0.23",
"name": "thanos-mixin" "name": "thanos-mixin"
} }
], ],

32
jsonnetfile.lock.json
View File

@@ -18,8 +18,8 @@
"subdir": "contrib/mixin" "subdir": "contrib/mixin"
} }
}, },
"version": "29292aa7bdafaf65cb5e054591fe0ff07b36f5ee", "version": "73080a716634f45d50d0593e0454ed3206a52f5b",
"sum": "cdKL5kPYfpWSpTCu4qctmh+gWQqL+4YWom6rw9qLYJU=" "sum": "W/Azptf1PoqjyMwJON96UY69MFugDA4IAYiKURscryc="
}, },
{ {
"source": { "source": {
@@ -38,7 +38,7 @@
"subdir": "grafana-builder" "subdir": "grafana-builder"
} }
}, },
"version": "b102f9ac7d1290ac025c2a7ac99f7fd9a9948503", "version": "3f17cac91d85f4e79d00373e3a8e7ad82d9cefbf",
"sum": "0KkygBQd/AFzUvVzezE4qF/uDYgrwUXVpZfINBti0oc=" "sum": "0KkygBQd/AFzUvVzezE4qF/uDYgrwUXVpZfINBti0oc="
}, },
{ {
@@ -48,8 +48,8 @@
"subdir": "" "subdir": ""
} }
}, },
"version": "9821d07e94e9a9916575a234fb699ae3331fa939", "version": "b538a10c89508f8d12885680cca72a134d3127f5",
"sum": "xubNXyvDwUw9GZzi9BRb6ob3bYzfoMr5F5zCVn2d7ag=" "sum": "GLt5T2k4RKg36Gfcaf9qlTfVumDitqotVD0ipz/bPJ4="
}, },
{ {
"source": { "source": {
@@ -58,7 +58,7 @@
"subdir": "lib/promgrafonnet" "subdir": "lib/promgrafonnet"
} }
}, },
"version": "9821d07e94e9a9916575a234fb699ae3331fa939", "version": "fd913499e956da06f520c3784c59573ee552b152",
"sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps=" "sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps="
}, },
{ {
@@ -68,7 +68,7 @@
"subdir": "jsonnet/kube-state-metrics" "subdir": "jsonnet/kube-state-metrics"
} }
}, },
"version": "b761b5382bdd85d7af915516f48cba1c46859c1d", "version": "b550d7a3bce031bdb51c4bf21cc992a785fc3188",
"sum": "U1wzIpTAtOvC1yj43Y8PfvT0JfvnAcMfNH12Wi+ab0Y=" "sum": "U1wzIpTAtOvC1yj43Y8PfvT0JfvnAcMfNH12Wi+ab0Y="
}, },
{ {
@@ -78,7 +78,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin" "subdir": "jsonnet/kube-state-metrics-mixin"
} }
}, },
"version": "b761b5382bdd85d7af915516f48cba1c46859c1d", "version": "b550d7a3bce031bdb51c4bf21cc992a785fc3188",
"sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk=" "sum": "u8gaydJoxEjzizQ8jY8xSjYgWooPmxw+wIWdDxifMAk="
}, },
{ {
@@ -88,7 +88,7 @@
"subdir": "jsonnet/mixin" "subdir": "jsonnet/mixin"
} }
}, },
"version": "335ebbc2f6ecf10b699821fa8cebcbff4a718ca7", "version": "1b4cc829251a4c129615efe707d9403c7248888e",
"sum": "qZ4WgiweaE6eeKtFK60QUjLO8sf2L9Q8fgafWvDcyfY=", "sum": "qZ4WgiweaE6eeKtFK60QUjLO8sf2L9Q8fgafWvDcyfY=",
"name": "prometheus-operator-mixin" "name": "prometheus-operator-mixin"
}, },
@@ -99,8 +99,8 @@
"subdir": "jsonnet/prometheus-operator" "subdir": "jsonnet/prometheus-operator"
} }
}, },
"version": "335ebbc2f6ecf10b699821fa8cebcbff4a718ca7", "version": "1b4cc829251a4c129615efe707d9403c7248888e",
"sum": "Vr2IY6Uz1lYYyGDF7QaEAVkJwAtOEikCfuXJN2eAUM0=" "sum": "9R1mw4Tz0/1V1QWkJMzqE4+iXXONEfYVikW8Mj5AOcA="
}, },
{ {
"source": { "source": {
@@ -109,7 +109,7 @@
"subdir": "doc/alertmanager-mixin" "subdir": "doc/alertmanager-mixin"
} }
}, },
"version": "e2a10119aaf7777fa523d216e05897c5b719134c", "version": "16fa045db47d68a09a102c7b80b8899c1f57c153",
"sum": "pep+dHzfIjh2SU5pEkwilMCAT/NoL6YYflV4x8cr7vU=", "sum": "pep+dHzfIjh2SU5pEkwilMCAT/NoL6YYflV4x8cr7vU=",
"name": "alertmanager" "name": "alertmanager"
}, },
@@ -120,7 +120,7 @@
"subdir": "docs/node-mixin" "subdir": "docs/node-mixin"
} }
}, },
"version": "7dbf35891570f9ce3bccb25a55176ea4923b35dd", "version": "a2321e7b940ddcff26873612bccdf7cd4c42b6b6",
"sum": "MlWDAKGZ+JArozRKdKEvewHeWn8j2DNBzesJfLVd0dk=" "sum": "MlWDAKGZ+JArozRKdKEvewHeWn8j2DNBzesJfLVd0dk="
}, },
{ {
@@ -130,7 +130,7 @@
"subdir": "documentation/prometheus-mixin" "subdir": "documentation/prometheus-mixin"
} }
}, },
"version": "6f3e664ae712850b020d95c5c8b8a6ff841803bd", "version": "67a64ee092b79e797ea9aa46856a15c435093c7e",
"sum": "ZjQoYhvgKwJNkg+h+m9lW3SYjnjv5Yx5btEipLhru88=", "sum": "ZjQoYhvgKwJNkg+h+m9lW3SYjnjv5Yx5btEipLhru88=",
"name": "prometheus" "name": "prometheus"
}, },
@@ -141,8 +141,8 @@
"subdir": "mixin" "subdir": "mixin"
} }
}, },
"version": "9a26b0edee19a06c6e99a09e33ebceca734c91f9", "version": "632032712f12eea0015aaef24ee1e14f38ef3e55",
"sum": "1Y1cPIeoPg2nCAEhKPCt8bAGuwuOP2eZ3kVF432mlMA=", "sum": "X+060DnePPeN/87fgj0SrfxVitywTk8hZA9V4nHxl1g=",
"name": "thanos-mixin" "name": "thanos-mixin"
}, },
{ {

363
manifests/setup/0alertmanagerCustomResourceDefinition.yaml
View File

@@ -1222,8 +1222,7 @@ spec:
info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1284,9 +1283,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -1309,18 +1309,16 @@ spec:
is terminated due to an API request or management event is terminated due to an API request or management event
such as liveness/startup probe failure, preemption, resource such as liveness/startup probe failure, preemption, resource
contention, etc. The handler is not called if the container contention, etc. The handler is not called if the container
crashes or exits. The reason for termination is passed crashes or exits. The Pod''s termination grace period
to the handler. The Pod''s termination grace period countdown countdown begins before the PreStop hook is executed.
begins before the PreStop hooked is executed. Regardless Regardless of the outcome of the handler, the container
of the outcome of the handler, the container will eventually will eventually terminate within the Pod''s termination
terminate within the Pod''s termination grace period. grace period (unless delayed by finalizers). Other management
Other management of the container blocks until the hook of the container blocks until the hook completes or until
completes or until the termination grace period is reached. the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1381,9 +1379,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -1408,8 +1407,7 @@ spec:
info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1430,6 +1428,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -1493,9 +1510,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -1593,8 +1609,7 @@ spec:
fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1615,6 +1630,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -1678,9 +1712,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -1761,12 +1794,14 @@ spec:
This bool directly controls if the no_new_privs flag will This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN' 2) has CAP_SYS_ADMIN Note that this field cannot be set
when spec.os.name is windows.'
type: boolean type: boolean
capabilities: capabilities:
description: The capabilities to add/drop when running containers. description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by Defaults to the default set of capabilities granted by
the container runtime. the container runtime. Note that this field cannot be
set when spec.os.name is windows.
properties: properties:
add: add:
description: Added capabilities description: Added capabilities
@@ -1786,25 +1821,29 @@ spec:
privileged: privileged:
description: Run container in privileged mode. Processes description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to in privileged containers are essentially equivalent to
root on the host. Defaults to false. root on the host. Defaults to false. Note that this field
cannot be set when spec.os.name is windows.
type: boolean type: boolean
procMount: procMount:
description: procMount denotes the type of proc mount to description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType paths and masked paths. This requires the ProcMountType
feature flag to be enabled. feature flag to be enabled. Note that this field cannot
be set when spec.os.name is windows.
type: string type: string
readOnlyRootFilesystem: readOnlyRootFilesystem:
description: Whether this container has a read-only root description: Whether this container has a read-only root
filesystem. Default is false. filesystem. Default is false. Note that this field cannot
be set when spec.os.name is windows.
type: boolean type: boolean
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -1822,7 +1861,8 @@ spec:
process. Defaults to user specified in image metadata process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If if unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence. value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -1831,7 +1871,8 @@ spec:
random SELinux context for each container. May also be random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies description: Level is SELinux level label that applies
@@ -1854,6 +1895,8 @@ spec:
description: The seccomp options to use by this container. description: The seccomp options to use by this container.
If seccomp options are provided at both the pod & container If seccomp options are provided at both the pod & container
level, the container options override the pod options. level, the container options override the pod options.
Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -1879,6 +1922,8 @@ spec:
containers. If unspecified, the options from the PodSecurityContext containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is
linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -1924,8 +1969,7 @@ spec:
This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1946,6 +1990,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2009,9 +2072,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2416,8 +2478,7 @@ spec:
info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2478,9 +2539,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -2503,18 +2565,16 @@ spec:
is terminated due to an API request or management event is terminated due to an API request or management event
such as liveness/startup probe failure, preemption, resource such as liveness/startup probe failure, preemption, resource
contention, etc. The handler is not called if the container contention, etc. The handler is not called if the container
crashes or exits. The reason for termination is passed crashes or exits. The Pod''s termination grace period
to the handler. The Pod''s termination grace period countdown countdown begins before the PreStop hook is executed.
begins before the PreStop hooked is executed. Regardless Regardless of the outcome of the handler, the container
of the outcome of the handler, the container will eventually will eventually terminate within the Pod''s termination
terminate within the Pod''s termination grace period. grace period (unless delayed by finalizers). Other management
Other management of the container blocks until the hook of the container blocks until the hook completes or until
completes or until the termination grace period is reached. the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2575,9 +2635,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -2602,8 +2663,7 @@ spec:
info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2624,6 +2684,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2687,9 +2766,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2787,8 +2865,7 @@ spec:
fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2809,6 +2886,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2872,9 +2968,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2955,12 +3050,14 @@ spec:
This bool directly controls if the no_new_privs flag will This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN' 2) has CAP_SYS_ADMIN Note that this field cannot be set
when spec.os.name is windows.'
type: boolean type: boolean
capabilities: capabilities:
description: The capabilities to add/drop when running containers. description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by Defaults to the default set of capabilities granted by
the container runtime. the container runtime. Note that this field cannot be
set when spec.os.name is windows.
properties: properties:
add: add:
description: Added capabilities description: Added capabilities
@@ -2980,25 +3077,29 @@ spec:
privileged: privileged:
description: Run container in privileged mode. Processes description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to in privileged containers are essentially equivalent to
root on the host. Defaults to false. root on the host. Defaults to false. Note that this field
cannot be set when spec.os.name is windows.
type: boolean type: boolean
procMount: procMount:
description: procMount denotes the type of proc mount to description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType paths and masked paths. This requires the ProcMountType
feature flag to be enabled. feature flag to be enabled. Note that this field cannot
be set when spec.os.name is windows.
type: string type: string
readOnlyRootFilesystem: readOnlyRootFilesystem:
description: Whether this container has a read-only root description: Whether this container has a read-only root
filesystem. Default is false. filesystem. Default is false. Note that this field cannot
be set when spec.os.name is windows.
type: boolean type: boolean
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -3016,7 +3117,8 @@ spec:
process. Defaults to user specified in image metadata process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If if unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence. value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -3025,7 +3127,8 @@ spec:
random SELinux context for each container. May also be random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies description: Level is SELinux level label that applies
@@ -3048,6 +3151,8 @@ spec:
description: The seccomp options to use by this container. description: The seccomp options to use by this container.
If seccomp options are provided at both the pod & container If seccomp options are provided at both the pod & container
level, the container options override the pod options. level, the container options override the pod options.
Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -3073,6 +3178,8 @@ spec:
containers. If unspecified, the options from the PodSecurityContext containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is
linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -3118,8 +3225,7 @@ spec:
This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -3140,6 +3246,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -3203,9 +3328,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -3483,7 +3607,8 @@ spec:
set (new files created in the volume will be owned by FSGroup) set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- \n If unset, 3. The permission bits are OR'd with rw-rw---- \n If unset,
the Kubelet will not modify the ownership and permissions of the Kubelet will not modify the ownership and permissions of
any volume." any volume. Note that this field cannot be set when spec.os.name
is windows."
format: int64 format: int64
type: integer type: integer
fsGroupChangePolicy: fsGroupChangePolicy:
@@ -3493,13 +3618,15 @@ spec:
support fsGroup based ownership(and permissions). It will have support fsGroup based ownership(and permissions). It will have
no effect on ephemeral volume types such as: secret, configmaps no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always". and emptydir. Valid values are "OnRootMismatch" and "Always".
If not specified, "Always" is used.' If not specified, "Always" is used. Note that this field cannot
be set when spec.os.name is windows.'
type: string type: string
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container process. description: The GID to run the entrypoint of the container process.
Uses runtime default if unset. May also be set in SecurityContext. If Uses runtime default if unset. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container. specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -3516,7 +3643,8 @@ spec:
Defaults to user specified in image metadata if unspecified. Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container. takes precedence for that container. Note that this field cannot
be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -3525,6 +3653,7 @@ spec:
SELinux context for each container. May also be set in SecurityContext. If SELinux context for each container. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container. specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies to description: Level is SELinux level label that applies to
@@ -3545,7 +3674,8 @@ spec:
type: object type: object
seccompProfile: seccompProfile:
description: The seccomp options to use by the containers in this description: The seccomp options to use by the containers in this
pod. pod. Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -3567,7 +3697,8 @@ spec:
supplementalGroups: supplementalGroups:
description: A list of groups applied to the first process run description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID. If in each container, in addition to the container's primary GID. If
unspecified, no groups will be added to any container. unspecified, no groups will be added to any container. Note
that this field cannot be set when spec.os.name is windows.
items: items:
format: int64 format: int64
type: integer type: integer
@@ -3575,7 +3706,8 @@ spec:
sysctls: sysctls:
description: Sysctls hold a list of namespaced sysctls used for description: Sysctls hold a list of namespaced sysctls used for
the pod. Pods with unsupported sysctls (by the container runtime) the pod. Pods with unsupported sysctls (by the container runtime)
might fail to launch. might fail to launch. Note that this field cannot be set when
spec.os.name is windows.
items: items:
description: Sysctl defines a kernel parameter to be set description: Sysctl defines a kernel parameter to be set
properties: properties:
@@ -3594,7 +3726,8 @@ spec:
description: The Windows specific settings applied to all containers. description: The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext If unspecified, the options within a container's SecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -3789,7 +3922,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify
resource requirements that are lower than previous
value but must still be higher than capacity recorded
in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:
@@ -4004,7 +4141,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify resource
requirements that are lower than previous value but
must still be higher than capacity recorded in the status
field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:
@@ -4100,6 +4241,27 @@ spec:
items: items:
type: string type: string
type: array type: array
allocatedResources:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: The storage resource within AllocatedResources
tracks the capacity allocated to a PVC. It may be larger
than the actual capacity when a volume expansion operation
is requested. For storage quota, the larger value from
allocatedResources and PVC.spec.resources is used. If
allocatedResources is not set, PVC.spec.resources alone
is used for quota calculation. If a volume expansion
capacity request is lowered, allocatedResources is only
lowered if there are no expansion operations in progress
and if the actual volume capacity is equal or lower
than the requested capacity. This is an alpha field
and requires enabling RecoverVolumeExpansionFailure
feature.
type: object
capacity: capacity:
additionalProperties: additionalProperties:
anyOf: anyOf:
@@ -4152,6 +4314,13 @@ spec:
phase: phase:
description: Phase represents the current phase of PersistentVolumeClaim. description: Phase represents the current phase of PersistentVolumeClaim.
type: string type: string
resizeStatus:
description: ResizeStatus stores status of resize operation.
ResizeStatus is not set by default but when expansion
is complete resizeStatus is set to empty string by resize
controller or kubelet. This is an alpha field and requires
enabling RecoverVolumeExpansionFailure feature.
type: string
type: object type: object
type: object type: object
type: object type: object
@@ -4284,7 +4453,7 @@ spec:
tells the scheduler to schedule the pod in any location, but tells the scheduler to schedule the pod in any location, but
giving higher precedence to topologies that would help reduce giving higher precedence to topologies that would help reduce
the skew. A constraint is considered "Unsatisfiable" for the skew. A constraint is considered "Unsatisfiable" for
an incoming pod if and only if every possible node assigment an incoming pod if and only if every possible node assignment
for that pod would violate "MaxSkew" on some topology. For for that pod would violate "MaxSkew" on some topology. For
example, in a 3-zone cluster, MaxSkew is set to 1, and pods example, in a 3-zone cluster, MaxSkew is set to 1, and pods
with the same labelSelector spread as 3/1/1: | zone1 | zone2 with the same labelSelector spread as 3/1/1: | zone1 | zone2
@@ -4747,9 +4916,7 @@ spec:
volumes if the CSI driver is meant to be used that way - see volumes if the CSI driver is meant to be used that way - see
the documentation of the driver for more information. \n A the documentation of the driver for more information. \n A
pod can use both types of ephemeral volumes and persistent pod can use both types of ephemeral volumes and persistent
volumes at the same time. \n This is a beta feature and only volumes at the same time."
available when the GenericEphemeralVolume feature gate is
enabled."
properties: properties:
volumeClaimTemplate: volumeClaimTemplate:
description: "Will be used to create a stand-alone PVC to description: "Will be used to create a stand-alone PVC to
@@ -4866,7 +5033,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify
resource requirements that are lower than previous
value but must still be higher than capacity recorded
in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:

363
manifests/setup/0prometheusCustomResourceDefinition.yaml
View File

@@ -1636,8 +1636,7 @@ spec:
info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1698,9 +1697,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -1723,18 +1723,16 @@ spec:
is terminated due to an API request or management event is terminated due to an API request or management event
such as liveness/startup probe failure, preemption, resource such as liveness/startup probe failure, preemption, resource
contention, etc. The handler is not called if the container contention, etc. The handler is not called if the container
crashes or exits. The reason for termination is passed crashes or exits. The Pod''s termination grace period
to the handler. The Pod''s termination grace period countdown countdown begins before the PreStop hook is executed.
begins before the PreStop hooked is executed. Regardless Regardless of the outcome of the handler, the container
of the outcome of the handler, the container will eventually will eventually terminate within the Pod''s termination
terminate within the Pod''s termination grace period. grace period (unless delayed by finalizers). Other management
Other management of the container blocks until the hook of the container blocks until the hook completes or until
completes or until the termination grace period is reached. the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1795,9 +1793,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -1822,8 +1821,7 @@ spec:
info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1844,6 +1842,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -1907,9 +1924,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2007,8 +2023,7 @@ spec:
fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2029,6 +2044,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2092,9 +2126,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2175,12 +2208,14 @@ spec:
This bool directly controls if the no_new_privs flag will This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN' 2) has CAP_SYS_ADMIN Note that this field cannot be set
when spec.os.name is windows.'
type: boolean type: boolean
capabilities: capabilities:
description: The capabilities to add/drop when running containers. description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by Defaults to the default set of capabilities granted by
the container runtime. the container runtime. Note that this field cannot be
set when spec.os.name is windows.
properties: properties:
add: add:
description: Added capabilities description: Added capabilities
@@ -2200,25 +2235,29 @@ spec:
privileged: privileged:
description: Run container in privileged mode. Processes description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to in privileged containers are essentially equivalent to
root on the host. Defaults to false. root on the host. Defaults to false. Note that this field
cannot be set when spec.os.name is windows.
type: boolean type: boolean
procMount: procMount:
description: procMount denotes the type of proc mount to description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType paths and masked paths. This requires the ProcMountType
feature flag to be enabled. feature flag to be enabled. Note that this field cannot
be set when spec.os.name is windows.
type: string type: string
readOnlyRootFilesystem: readOnlyRootFilesystem:
description: Whether this container has a read-only root description: Whether this container has a read-only root
filesystem. Default is false. filesystem. Default is false. Note that this field cannot
be set when spec.os.name is windows.
type: boolean type: boolean
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -2236,7 +2275,8 @@ spec:
process. Defaults to user specified in image metadata process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If if unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence. value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -2245,7 +2285,8 @@ spec:
random SELinux context for each container. May also be random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies description: Level is SELinux level label that applies
@@ -2268,6 +2309,8 @@ spec:
description: The seccomp options to use by this container. description: The seccomp options to use by this container.
If seccomp options are provided at both the pod & container If seccomp options are provided at both the pod & container
level, the container options override the pod options. level, the container options override the pod options.
Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -2293,6 +2336,8 @@ spec:
containers. If unspecified, the options from the PodSecurityContext containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is
linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -2338,8 +2383,7 @@ spec:
This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2360,6 +2404,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2423,9 +2486,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2921,8 +2983,7 @@ spec:
info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2983,9 +3044,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -3008,18 +3070,16 @@ spec:
is terminated due to an API request or management event is terminated due to an API request or management event
such as liveness/startup probe failure, preemption, resource such as liveness/startup probe failure, preemption, resource
contention, etc. The handler is not called if the container contention, etc. The handler is not called if the container
crashes or exits. The reason for termination is passed crashes or exits. The Pod''s termination grace period
to the handler. The Pod''s termination grace period countdown countdown begins before the PreStop hook is executed.
begins before the PreStop hooked is executed. Regardless Regardless of the outcome of the handler, the container
of the outcome of the handler, the container will eventually will eventually terminate within the Pod''s termination
terminate within the Pod''s termination grace period. grace period (unless delayed by finalizers). Other management
Other management of the container blocks until the hook of the container blocks until the hook completes or until
completes or until the termination grace period is reached. the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -3080,9 +3140,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -3107,8 +3168,7 @@ spec:
info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -3129,6 +3189,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -3192,9 +3271,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -3292,8 +3370,7 @@ spec:
fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -3314,6 +3391,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -3377,9 +3473,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -3460,12 +3555,14 @@ spec:
This bool directly controls if the no_new_privs flag will This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN' 2) has CAP_SYS_ADMIN Note that this field cannot be set
when spec.os.name is windows.'
type: boolean type: boolean
capabilities: capabilities:
description: The capabilities to add/drop when running containers. description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by Defaults to the default set of capabilities granted by
the container runtime. the container runtime. Note that this field cannot be
set when spec.os.name is windows.
properties: properties:
add: add:
description: Added capabilities description: Added capabilities
@@ -3485,25 +3582,29 @@ spec:
privileged: privileged:
description: Run container in privileged mode. Processes description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to in privileged containers are essentially equivalent to
root on the host. Defaults to false. root on the host. Defaults to false. Note that this field
cannot be set when spec.os.name is windows.
type: boolean type: boolean
procMount: procMount:
description: procMount denotes the type of proc mount to description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType paths and masked paths. This requires the ProcMountType
feature flag to be enabled. feature flag to be enabled. Note that this field cannot
be set when spec.os.name is windows.
type: string type: string
readOnlyRootFilesystem: readOnlyRootFilesystem:
description: Whether this container has a read-only root description: Whether this container has a read-only root
filesystem. Default is false. filesystem. Default is false. Note that this field cannot
be set when spec.os.name is windows.
type: boolean type: boolean
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -3521,7 +3622,8 @@ spec:
process. Defaults to user specified in image metadata process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If if unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence. value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -3530,7 +3632,8 @@ spec:
random SELinux context for each container. May also be random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies description: Level is SELinux level label that applies
@@ -3553,6 +3656,8 @@ spec:
description: The seccomp options to use by this container. description: The seccomp options to use by this container.
If seccomp options are provided at both the pod & container If seccomp options are provided at both the pod & container
level, the container options override the pod options. level, the container options override the pod options.
Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -3578,6 +3683,8 @@ spec:
containers. If unspecified, the options from the PodSecurityContext containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is
linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -3623,8 +3730,7 @@ spec:
This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -3645,6 +3751,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -3708,9 +3833,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -5182,7 +5306,8 @@ spec:
set (new files created in the volume will be owned by FSGroup) set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- \n If unset, 3. The permission bits are OR'd with rw-rw---- \n If unset,
the Kubelet will not modify the ownership and permissions of the Kubelet will not modify the ownership and permissions of
any volume." any volume. Note that this field cannot be set when spec.os.name
is windows."
format: int64 format: int64
type: integer type: integer
fsGroupChangePolicy: fsGroupChangePolicy:
@@ -5192,13 +5317,15 @@ spec:
support fsGroup based ownership(and permissions). It will have support fsGroup based ownership(and permissions). It will have
no effect on ephemeral volume types such as: secret, configmaps no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always". and emptydir. Valid values are "OnRootMismatch" and "Always".
If not specified, "Always" is used.' If not specified, "Always" is used. Note that this field cannot
be set when spec.os.name is windows.'
type: string type: string
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container process. description: The GID to run the entrypoint of the container process.
Uses runtime default if unset. May also be set in SecurityContext. If Uses runtime default if unset. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container. specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -5215,7 +5342,8 @@ spec:
Defaults to user specified in image metadata if unspecified. Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container. takes precedence for that container. Note that this field cannot
be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -5224,6 +5352,7 @@ spec:
SELinux context for each container. May also be set in SecurityContext. If SELinux context for each container. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container. specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies to description: Level is SELinux level label that applies to
@@ -5244,7 +5373,8 @@ spec:
type: object type: object
seccompProfile: seccompProfile:
description: The seccomp options to use by the containers in this description: The seccomp options to use by the containers in this
pod. pod. Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -5266,7 +5396,8 @@ spec:
supplementalGroups: supplementalGroups:
description: A list of groups applied to the first process run description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID. If in each container, in addition to the container's primary GID. If
unspecified, no groups will be added to any container. unspecified, no groups will be added to any container. Note
that this field cannot be set when spec.os.name is windows.
items: items:
format: int64 format: int64
type: integer type: integer
@@ -5274,7 +5405,8 @@ spec:
sysctls: sysctls:
description: Sysctls hold a list of namespaced sysctls used for description: Sysctls hold a list of namespaced sysctls used for
the pod. Pods with unsupported sysctls (by the container runtime) the pod. Pods with unsupported sysctls (by the container runtime)
might fail to launch. might fail to launch. Note that this field cannot be set when
spec.os.name is windows.
items: items:
description: Sysctl defines a kernel parameter to be set description: Sysctl defines a kernel parameter to be set
properties: properties:
@@ -5293,7 +5425,8 @@ spec:
description: The Windows specific settings applied to all containers. description: The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext If unspecified, the options within a container's SecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -5589,7 +5722,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify
resource requirements that are lower than previous
value but must still be higher than capacity recorded
in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:
@@ -5804,7 +5941,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify resource
requirements that are lower than previous value but
must still be higher than capacity recorded in the status
field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:
@@ -5900,6 +6041,27 @@ spec:
items: items:
type: string type: string
type: array type: array
allocatedResources:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: The storage resource within AllocatedResources
tracks the capacity allocated to a PVC. It may be larger
than the actual capacity when a volume expansion operation
is requested. For storage quota, the larger value from
allocatedResources and PVC.spec.resources is used. If
allocatedResources is not set, PVC.spec.resources alone
is used for quota calculation. If a volume expansion
capacity request is lowered, allocatedResources is only
lowered if there are no expansion operations in progress
and if the actual volume capacity is equal or lower
than the requested capacity. This is an alpha field
and requires enabling RecoverVolumeExpansionFailure
feature.
type: object
capacity: capacity:
additionalProperties: additionalProperties:
anyOf: anyOf:
@@ -5952,6 +6114,13 @@ spec:
phase: phase:
description: Phase represents the current phase of PersistentVolumeClaim. description: Phase represents the current phase of PersistentVolumeClaim.
type: string type: string
resizeStatus:
description: ResizeStatus stores status of resize operation.
ResizeStatus is not set by default but when expansion
is complete resizeStatus is set to empty string by resize
controller or kubelet. This is an alpha field and requires
enabling RecoverVolumeExpansionFailure feature.
type: string
type: object type: object
type: object type: object
type: object type: object
@@ -6389,7 +6558,7 @@ spec:
tells the scheduler to schedule the pod in any location, but tells the scheduler to schedule the pod in any location, but
giving higher precedence to topologies that would help reduce giving higher precedence to topologies that would help reduce
the skew. A constraint is considered "Unsatisfiable" for the skew. A constraint is considered "Unsatisfiable" for
an incoming pod if and only if every possible node assigment an incoming pod if and only if every possible node assignment
for that pod would violate "MaxSkew" on some topology. For for that pod would violate "MaxSkew" on some topology. For
example, in a 3-zone cluster, MaxSkew is set to 1, and pods example, in a 3-zone cluster, MaxSkew is set to 1, and pods
with the same labelSelector spread as 3/1/1: | zone1 | zone2 with the same labelSelector spread as 3/1/1: | zone1 | zone2
@@ -6852,9 +7021,7 @@ spec:
volumes if the CSI driver is meant to be used that way - see volumes if the CSI driver is meant to be used that way - see
the documentation of the driver for more information. \n A the documentation of the driver for more information. \n A
pod can use both types of ephemeral volumes and persistent pod can use both types of ephemeral volumes and persistent
volumes at the same time. \n This is a beta feature and only volumes at the same time."
available when the GenericEphemeralVolume feature gate is
enabled."
properties: properties:
volumeClaimTemplate: volumeClaimTemplate:
description: "Will be used to create a stand-alone PVC to description: "Will be used to create a stand-alone PVC to
@@ -6971,7 +7138,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify
resource requirements that are lower than previous
value but must still be higher than capacity recorded
in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:

363
manifests/setup/0thanosrulerCustomResourceDefinition.yaml
View File

@@ -1149,8 +1149,7 @@ spec:
info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1211,9 +1210,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -1236,18 +1236,16 @@ spec:
is terminated due to an API request or management event is terminated due to an API request or management event
such as liveness/startup probe failure, preemption, resource such as liveness/startup probe failure, preemption, resource
contention, etc. The handler is not called if the container contention, etc. The handler is not called if the container
crashes or exits. The reason for termination is passed crashes or exits. The Pod''s termination grace period
to the handler. The Pod''s termination grace period countdown countdown begins before the PreStop hook is executed.
begins before the PreStop hooked is executed. Regardless Regardless of the outcome of the handler, the container
of the outcome of the handler, the container will eventually will eventually terminate within the Pod''s termination
terminate within the Pod''s termination grace period. grace period (unless delayed by finalizers). Other management
Other management of the container blocks until the hook of the container blocks until the hook completes or until
completes or until the termination grace period is reached. the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1308,9 +1306,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -1335,8 +1334,7 @@ spec:
info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1357,6 +1355,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -1420,9 +1437,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -1520,8 +1536,7 @@ spec:
fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1542,6 +1557,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -1605,9 +1639,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -1688,12 +1721,14 @@ spec:
This bool directly controls if the no_new_privs flag will This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN' 2) has CAP_SYS_ADMIN Note that this field cannot be set
when spec.os.name is windows.'
type: boolean type: boolean
capabilities: capabilities:
description: The capabilities to add/drop when running containers. description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by Defaults to the default set of capabilities granted by
the container runtime. the container runtime. Note that this field cannot be
set when spec.os.name is windows.
properties: properties:
add: add:
description: Added capabilities description: Added capabilities
@@ -1713,25 +1748,29 @@ spec:
privileged: privileged:
description: Run container in privileged mode. Processes description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to in privileged containers are essentially equivalent to
root on the host. Defaults to false. root on the host. Defaults to false. Note that this field
cannot be set when spec.os.name is windows.
type: boolean type: boolean
procMount: procMount:
description: procMount denotes the type of proc mount to description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType paths and masked paths. This requires the ProcMountType
feature flag to be enabled. feature flag to be enabled. Note that this field cannot
be set when spec.os.name is windows.
type: string type: string
readOnlyRootFilesystem: readOnlyRootFilesystem:
description: Whether this container has a read-only root description: Whether this container has a read-only root
filesystem. Default is false. filesystem. Default is false. Note that this field cannot
be set when spec.os.name is windows.
type: boolean type: boolean
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -1749,7 +1788,8 @@ spec:
process. Defaults to user specified in image metadata process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If if unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence. value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -1758,7 +1798,8 @@ spec:
random SELinux context for each container. May also be random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies description: Level is SELinux level label that applies
@@ -1781,6 +1822,8 @@ spec:
description: The seccomp options to use by this container. description: The seccomp options to use by this container.
If seccomp options are provided at both the pod & container If seccomp options are provided at both the pod & container
level, the container options override the pod options. level, the container options override the pod options.
Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -1806,6 +1849,8 @@ spec:
containers. If unspecified, the options from the PodSecurityContext containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is
linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -1851,8 +1896,7 @@ spec:
This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -1873,6 +1917,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -1936,9 +1999,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2462,8 +2524,7 @@ spec:
info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2524,9 +2585,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -2549,18 +2611,16 @@ spec:
is terminated due to an API request or management event is terminated due to an API request or management event
such as liveness/startup probe failure, preemption, resource such as liveness/startup probe failure, preemption, resource
contention, etc. The handler is not called if the container contention, etc. The handler is not called if the container
crashes or exits. The reason for termination is passed crashes or exits. The Pod''s termination grace period
to the handler. The Pod''s termination grace period countdown countdown begins before the PreStop hook is executed.
begins before the PreStop hooked is executed. Regardless Regardless of the outcome of the handler, the container
of the outcome of the handler, the container will eventually will eventually terminate within the Pod''s termination
terminate within the Pod''s termination grace period. grace period (unless delayed by finalizers). Other management
Other management of the container blocks until the hook of the container blocks until the hook completes or until
completes or until the termination grace period is reached. the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
properties: properties:
exec: exec:
description: One and only one of the following should description: Exec specifies the action to take.
be specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2621,9 +2681,10 @@ spec:
- port - port
type: object type: object
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving description: Deprecated. TCPSocket is NOT supported
a TCP port. TCP hooks not yet supported TODO: implement as a LifecycleHandler and kept for the backward compatibility.
a realistic TCP lifecycle hook' There are no validation of this field and lifecycle
hooks will fail in runtime when tcp handler is specified.
properties: properties:
host: host:
description: 'Optional: Host name to connect to, description: 'Optional: Host name to connect to,
@@ -2648,8 +2709,7 @@ spec:
info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2670,6 +2730,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2733,9 +2812,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -2833,8 +2911,7 @@ spec:
fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -2855,6 +2932,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -2918,9 +3014,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -3001,12 +3096,14 @@ spec:
This bool directly controls if the no_new_privs flag will This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN' 2) has CAP_SYS_ADMIN Note that this field cannot be set
when spec.os.name is windows.'
type: boolean type: boolean
capabilities: capabilities:
description: The capabilities to add/drop when running containers. description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by Defaults to the default set of capabilities granted by
the container runtime. the container runtime. Note that this field cannot be
set when spec.os.name is windows.
properties: properties:
add: add:
description: Added capabilities description: Added capabilities
@@ -3026,25 +3123,29 @@ spec:
privileged: privileged:
description: Run container in privileged mode. Processes description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to in privileged containers are essentially equivalent to
root on the host. Defaults to false. root on the host. Defaults to false. Note that this field
cannot be set when spec.os.name is windows.
type: boolean type: boolean
procMount: procMount:
description: procMount denotes the type of proc mount to description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType paths and masked paths. This requires the ProcMountType
feature flag to be enabled. feature flag to be enabled. Note that this field cannot
be set when spec.os.name is windows.
type: string type: string
readOnlyRootFilesystem: readOnlyRootFilesystem:
description: Whether this container has a read-only root description: Whether this container has a read-only root
filesystem. Default is false. filesystem. Default is false. Note that this field cannot
be set when spec.os.name is windows.
type: boolean type: boolean
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -3062,7 +3163,8 @@ spec:
process. Defaults to user specified in image metadata process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If if unspecified. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext, the set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence. value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -3071,7 +3173,8 @@ spec:
random SELinux context for each container. May also be random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence. takes precedence. Note that this field cannot be set when
spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies description: Level is SELinux level label that applies
@@ -3094,6 +3197,8 @@ spec:
description: The seccomp options to use by this container. description: The seccomp options to use by this container.
If seccomp options are provided at both the pod & container If seccomp options are provided at both the pod & container
level, the container options override the pod options. level, the container options override the pod options.
Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -3119,6 +3224,8 @@ spec:
containers. If unspecified, the options from the PodSecurityContext containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is
linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -3164,8 +3271,7 @@ spec:
This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
properties: properties:
exec: exec:
description: One and only one of the following should be description: Exec specifies the action to take.
specified. Exec specifies the action to take.
properties: properties:
command: command:
description: Command is the command line to execute description: Command is the command line to execute
@@ -3186,6 +3292,25 @@ spec:
to 3. Minimum value is 1. to 3. Minimum value is 1.
format: int32 format: int32
type: integer type: integer
grpc:
description: GRPC specifies an action involving a GRPC port.
This is an alpha field and requires enabling GRPCContainerProbe
feature gate.
properties:
port:
description: Port number of the gRPC service. Number
must be in the range 1 to 65535.
format: int32
type: integer
service:
description: "Service is the name of the service to
place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
\n If this is not specified, the default behavior
is defined by gRPC."
type: string
required:
- port
type: object
httpGet: httpGet:
description: HTTPGet specifies the http request to perform. description: HTTPGet specifies the http request to perform.
properties: properties:
@@ -3249,9 +3374,8 @@ spec:
format: int32 format: int32
type: integer type: integer
tcpSocket: tcpSocket:
description: 'TCPSocket specifies an action involving a description: TCPSocket specifies an action involving a TCP
TCP port. TCP hooks not yet supported TODO: implement port.
a realistic TCP lifecycle hook'
properties: properties:
host: host:
description: 'Optional: Host name to connect to, defaults description: 'Optional: Host name to connect to, defaults
@@ -3685,7 +3809,8 @@ spec:
set (new files created in the volume will be owned by FSGroup) set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- \n If unset, 3. The permission bits are OR'd with rw-rw---- \n If unset,
the Kubelet will not modify the ownership and permissions of the Kubelet will not modify the ownership and permissions of
any volume." any volume. Note that this field cannot be set when spec.os.name
is windows."
format: int64 format: int64
type: integer type: integer
fsGroupChangePolicy: fsGroupChangePolicy:
@@ -3695,13 +3820,15 @@ spec:
support fsGroup based ownership(and permissions). It will have support fsGroup based ownership(and permissions). It will have
no effect on ephemeral volume types such as: secret, configmaps no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always". and emptydir. Valid values are "OnRootMismatch" and "Always".
If not specified, "Always" is used.' If not specified, "Always" is used. Note that this field cannot
be set when spec.os.name is windows.'
type: string type: string
runAsGroup: runAsGroup:
description: The GID to run the entrypoint of the container process. description: The GID to run the entrypoint of the container process.
Uses runtime default if unset. May also be set in SecurityContext. If Uses runtime default if unset. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container. specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
runAsNonRoot: runAsNonRoot:
@@ -3718,7 +3845,8 @@ spec:
Defaults to user specified in image metadata if unspecified. Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container. takes precedence for that container. Note that this field cannot
be set when spec.os.name is windows.
format: int64 format: int64
type: integer type: integer
seLinuxOptions: seLinuxOptions:
@@ -3727,6 +3855,7 @@ spec:
SELinux context for each container. May also be set in SecurityContext. If SELinux context for each container. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container. specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
properties: properties:
level: level:
description: Level is SELinux level label that applies to description: Level is SELinux level label that applies to
@@ -3747,7 +3876,8 @@ spec:
type: object type: object
seccompProfile: seccompProfile:
description: The seccomp options to use by the containers in this description: The seccomp options to use by the containers in this
pod. pod. Note that this field cannot be set when spec.os.name is
windows.
properties: properties:
localhostProfile: localhostProfile:
description: localhostProfile indicates a profile defined description: localhostProfile indicates a profile defined
@@ -3769,7 +3899,8 @@ spec:
supplementalGroups: supplementalGroups:
description: A list of groups applied to the first process run description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID. If in each container, in addition to the container's primary GID. If
unspecified, no groups will be added to any container. unspecified, no groups will be added to any container. Note
that this field cannot be set when spec.os.name is windows.
items: items:
format: int64 format: int64
type: integer type: integer
@@ -3777,7 +3908,8 @@ spec:
sysctls: sysctls:
description: Sysctls hold a list of namespaced sysctls used for description: Sysctls hold a list of namespaced sysctls used for
the pod. Pods with unsupported sysctls (by the container runtime) the pod. Pods with unsupported sysctls (by the container runtime)
might fail to launch. might fail to launch. Note that this field cannot be set when
spec.os.name is windows.
items: items:
description: Sysctl defines a kernel parameter to be set description: Sysctl defines a kernel parameter to be set
properties: properties:
@@ -3796,7 +3928,8 @@ spec:
description: The Windows specific settings applied to all containers. description: The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext If unspecified, the options within a container's SecurityContext
will be used. If set in both SecurityContext and PodSecurityContext, will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence. the value specified in SecurityContext takes precedence. Note
that this field cannot be set when spec.os.name is linux.
properties: properties:
gmsaCredentialSpec: gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission description: GMSACredentialSpec is where the GMSA admission
@@ -3983,7 +4116,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify
resource requirements that are lower than previous
value but must still be higher than capacity recorded
in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:
@@ -4198,7 +4335,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify resource
requirements that are lower than previous value but
must still be higher than capacity recorded in the status
field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties:
@@ -4294,6 +4435,27 @@ spec:
items: items:
type: string type: string
type: array type: array
allocatedResources:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: The storage resource within AllocatedResources
tracks the capacity allocated to a PVC. It may be larger
than the actual capacity when a volume expansion operation
is requested. For storage quota, the larger value from
allocatedResources and PVC.spec.resources is used. If
allocatedResources is not set, PVC.spec.resources alone
is used for quota calculation. If a volume expansion
capacity request is lowered, allocatedResources is only
lowered if there are no expansion operations in progress
and if the actual volume capacity is equal or lower
than the requested capacity. This is an alpha field
and requires enabling RecoverVolumeExpansionFailure
feature.
type: object
capacity: capacity:
additionalProperties: additionalProperties:
anyOf: anyOf:
@@ -4346,6 +4508,13 @@ spec:
phase: phase:
description: Phase represents the current phase of PersistentVolumeClaim. description: Phase represents the current phase of PersistentVolumeClaim.
type: string type: string
resizeStatus:
description: ResizeStatus stores status of resize operation.
ResizeStatus is not set by default but when expansion
is complete resizeStatus is set to empty string by resize
controller or kubelet. This is an alpha field and requires
enabling RecoverVolumeExpansionFailure feature.
type: string
type: object type: object
type: object type: object
type: object type: object
@@ -4472,7 +4641,7 @@ spec:
tells the scheduler to schedule the pod in any location, but tells the scheduler to schedule the pod in any location, but
giving higher precedence to topologies that would help reduce giving higher precedence to topologies that would help reduce
the skew. A constraint is considered "Unsatisfiable" for the skew. A constraint is considered "Unsatisfiable" for
an incoming pod if and only if every possible node assigment an incoming pod if and only if every possible node assignment
for that pod would violate "MaxSkew" on some topology. For for that pod would violate "MaxSkew" on some topology. For
example, in a 3-zone cluster, MaxSkew is set to 1, and pods example, in a 3-zone cluster, MaxSkew is set to 1, and pods
with the same labelSelector spread as 3/1/1: | zone1 | zone2 with the same labelSelector spread as 3/1/1: | zone1 | zone2
@@ -4909,9 +5078,7 @@ spec:
volumes if the CSI driver is meant to be used that way - see volumes if the CSI driver is meant to be used that way - see
the documentation of the driver for more information. \n A the documentation of the driver for more information. \n A
pod can use both types of ephemeral volumes and persistent pod can use both types of ephemeral volumes and persistent
volumes at the same time. \n This is a beta feature and only volumes at the same time."
available when the GenericEphemeralVolume feature gate is
enabled."
properties: properties:
volumeClaimTemplate: volumeClaimTemplate:
description: "Will be used to create a stand-alone PVC to description: "Will be used to create a stand-alone PVC to
@@ -5028,7 +5195,11 @@ spec:
type: object type: object
resources: resources:
description: 'Resources represents the minimum resources description: 'Resources represents the minimum resources
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' the volume should have. If RecoverVolumeExpansionFailure
feature is enabled users are allowed to specify
resource requirements that are lower than previous
value but must still be higher than capacity recorded
in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties: properties:
limits: limits:
additionalProperties: additionalProperties: