--- /dev/null
+# CustomResourceDefinitions for Calico and Tigera operator
+---
+# Source: crds/operator.tigera.io_apiservers_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: apiservers.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: APIServer
+ listKind: APIServerList
+ plural: apiservers
+ singular: apiserver
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ APIServer installs the Tigera API server and related resources. At most one instance
+ of this resource is supported. It must be named "default" or "tigera-secure".
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired state for the Tigera API server.
+ properties:
+ apiServerDeployment:
+ description: |-
+ APIServerDeployment configures the calico-apiserver (or tigera-apiserver in Enterprise) Deployment. If
+ used in conjunction with ControlPlaneNodeSelector or ControlPlaneTolerations, then these overrides
+ take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the API server Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the API server Deployment.
+ If omitted, the API server Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the API server Deployment
+ pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the API server Deployment's PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the API server pods.
+ If specified, this overrides any affinity that may be set on the API server Deployment.
+ If omitted, the API server Deployment will use its default value for affinity.
+ WARNING: Please note that this field will override the default API server Deployment affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of API server containers.
+ If specified, this overrides the specified API server Deployment containers.
+ If omitted, the API server Deployment will use its default values for its containers.
+ items:
+ description: APIServerDeploymentContainer is an
+ API server Deployment container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the API server Deployment container by name.
+ Supported values are: calico-apiserver, tigera-queryserver, calico-l7-admission-controller
+ enum:
+ - calico-apiserver
+ - tigera-queryserver
+ - calico-l7-admission-controller
+ type: string
+ ports:
+ description: |-
+ Ports allows customization of container's ports.
+ If specified, this overrides the named APIServer Deployment container's ports.
+ If omitted, the API server Deployment will use its default value for this container's port.
+ items:
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ format: int32
+ type: integer
+ name:
+ description: |-
+ Name is an enum which identifies the API server Deployment Container port by name.
+ Supported values are: apiserver, queryserver, l7admctrl
+ enum:
+ - apiserver
+ - queryserver
+ - l7admctrl
+ type: string
+ required:
+ - containerPort
+ - name
+ type: object
+ type: array
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named API server Deployment container's resources.
+ If omitted, the API server Deployment will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of API server init containers.
+ If specified, this overrides the specified API server Deployment init containers.
+ If omitted, the API server Deployment will use its default values for its init containers.
+ items:
+ description: APIServerDeploymentInitContainer is
+ an API server Deployment init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the API server Deployment init container by name.
+ Supported values are: calico-apiserver-certs-key-cert-provisioner
+ enum:
+ - calico-apiserver-certs-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named API server Deployment init container's resources.
+ If omitted, the API server Deployment will use its default value for this init container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the API server pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the API server Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the API server Deployment
+ and each of this field's key/value pairs are added to the API server Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the API server Deployment will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default API server Deployment nodeSelector.
+ type: object
+ priorityClassName:
+ description: PriorityClassName allows to specify a
+ PriorityClass resource to be used.
+ type: string
+ tolerations:
+ description: |-
+ Tolerations is the API server pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the API server Deployment.
+ If omitted, the API server Deployment will use its default value for tolerations.
+ WARNING: Please note that this field will override the default API server Deployment tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ logging:
+ properties:
+ apiServer:
+ properties:
+ logSeverity:
+ default: Info
+ description: LogSeverity defines log level for APIServer container.
+ enum:
+ - Fatal
+ - Error
+ - Warn
+ - Info
+ - Debug
+ - Trace
+ type: string
+ type: object
+ queryServer:
+ properties:
+ logSeverity:
+ default: Info
+ description: LogSeverity defines log level for QueryServer
+ container.
+ enum:
+ - Fatal
+ - Error
+ - Warn
+ - Info
+ - Debug
+ - Trace
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ description: Most recently observed status for the Tigera API server.
+ properties:
+ conditions:
+ description: |-
+ Conditions represents the latest observed set of conditions for the component. A component may be one or more of
+ Ready, Progressing, Degraded or other customer types.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ state:
+ description: State provides user-readable status.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/operator.tigera.io_gatewayapis_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: gatewayapis.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: GatewayAPI
+ listKind: GatewayAPIList
+ plural: gatewayapis
+ singular: gatewayapi
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: GatewayAPISpec has fields that can be used to customize our
+ GatewayAPI support.
+ properties:
+ crdManagement:
+ description: |-
+ Configure how to manage and update Gateway API CRDs. The default behaviour - which is
+ used when this field is not set, or is set to "PreferExisting" - is that the Tigera
+ operator will create the Gateway API CRDs if they do not already exist, but will not
+ overwrite any existing Gateway API CRDs. This setting may be preferable if the customer
+ is using other implementations of the Gateway API concurrently with the Gateway API
+ support in Calico Enterprise. It is then the customer's responsibility to ensure that
+ CRDs are installed that meet the needs of all the Gateway API implementations in their
+ cluster.
+ Alternatively, if this field is set to "Reconcile", the Tigera operator will keep the
+ cluster's Gateway API CRDs aligned with those that it would install on a cluster that
+ does not yet have any version of those CRDs.
+ enum:
+ - Reconcile
+ - PreferExisting
+ type: string
+ gatewayCertgenJob:
+ description: Allow optional customization of the gateway certgen job.
+ properties:
+ metadata:
+ description: Metadata contains the standard Kubernetes labels
+ and annotations fields.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: |-
+ GatewayCertgenJobSpec allows customization of the gateway certgen job spec.
+ For customization of the job template see GatewayCertgenJobPodTemplate.
+ properties:
+ template:
+ description: |-
+ GatewayCertgenJobPodTemplate allows customization of the gateway certgen job's pod template.
+ If GatewayCertgenJob.Spec.Template.Metadata is non-nil, non-clashing labels and
+ annotations from that metadata are added into the job's pod template.
+ For customization of the pod template spec see GatewayCertgenJobPodSpec.
+ properties:
+ metadata:
+ description: Metadata contains the standard Kubernetes
+ labels and annotations fields.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: |-
+ GatewayCertgenJobPodSpec allows customization of the gateway certgen job's pod spec.
+ If GatewayCertgenJob.Spec.Template.Spec.Affinity is non-nil, it sets the affinity field of the
+ job's pod template.
+ If GatewayCertgenJob.Spec.Template.Spec.NodeSelector is non-nil, it sets a node selector for
+ where job pods may be scheduled.
+ If GatewayCertgenJob.Spec.Template.Spec.Tolerations is non-nil, it sets the tolerations field of
+ the job's pod template.
+ For customization of job container resources see GatewayCertgenJobContainer.
+ properties:
+ affinity:
+ description: Affinity is a group of affinity scheduling
+ rules.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ items:
+ description: |-
+ GatewayCertgenJobContainer allows customization of the gateway certgen job's resource
+ requirements.
+ If GatewayCertgenJob.Spec.Template.Spec.Containers["envoy-gateway-certgen"].Resources is non-nil,
+ it overrides the ResourceRequirements of the job's "envoy-gateway-certgen" container.
+ properties:
+ name:
+ enum:
+ - envoy-gateway-certgen
+ type: string
+ resources:
+ description: ResourceRequirements describes
+ the compute resource requirements.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ tolerations:
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ gatewayControllerDeployment:
+ description: Allow optional customization of the gateway controller
+ deployment.
+ properties:
+ metadata:
+ description: Metadata contains the standard Kubernetes labels
+ and annotations fields.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: |-
+ GatewayControllerDeploymentSpec allows customization of the gateway controller deployment spec.
+ If GatewayControllerDeployment.Spec.MinReadySeconds is non-nil, it sets the minReadySeconds field
+ for the deployment.
+ For customization of the pod template see GatewayControllerDeploymentPodTemplate.
+ properties:
+ minReadySeconds:
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: |-
+ GatewayControllerDeploymentPodTemplate allows customization of the gateway controller deployment
+ pod template.
+ If GatewayControllerDeployment.Spec.Template.Metadata is non-nil, non-clashing labels and
+ annotations from that metadata are added into the deployment's pod template.
+ For customization of the pod template spec see GatewayControllerDeploymentPodSpec.
+ properties:
+ metadata:
+ description: Metadata contains the standard Kubernetes
+ labels and annotations fields.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: |-
+ GatewayControllerDeploymentPodSpec allows customization of the gateway controller deployment pod
+ spec.
+ If GatewayControllerDeployment.Spec.Template.Spec.Affinity is non-nil, it sets the affinity field
+ of the deployment's pod template.
+ If GatewayControllerDeployment.Spec.Template.Spec.NodeSelector is non-nil, it sets a node
+ selector for where controller pods may be scheduled.
+ If GatewayControllerDeployment.Spec.Template.Spec.Tolerations is non-nil, it sets the tolerations
+ field of the deployment's pod template.
+ For customization of container resources see GatewayControllerDeploymentContainer.
+ properties:
+ affinity:
+ description: Affinity is a group of affinity scheduling
+ rules.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ items:
+ description: |-
+ GatewayControllerDeploymentContainer allows customization of the gateway controller's resource
+ requirements.
+ If GatewayControllerDeployment.Spec.Template.Spec.Containers["envoy-gateway"].Resources is
+ non-nil, it overrides the ResourceRequirements of the controller's "envoy-gateway" container.
+ properties:
+ name:
+ enum:
+ - envoy-gateway
+ type: string
+ resources:
+ description: ResourceRequirements describes
+ the compute resource requirements.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ tolerations:
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ gatewayDeployment:
+ description: Allow optional customization of gateway deployments.
+ properties:
+ spec:
+ description: |-
+ GatewayDeploymentSpec allows customization of the spec of gateway deployments.
+ For customization of the pod template see GatewayDeploymentPodTemplate.
+ For customization of the deployment strategy see GatewayDeploymentStrategy.
+ properties:
+ strategy:
+ description: The deployment strategy to use to replace existing
+ pods with new ones.
+ properties:
+ rollingUpdate:
+ description: Spec to control the desired behavior of rolling
+ update.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ template:
+ description: |-
+ GatewayDeploymentPodTemplate allows customization of the pod template of gateway deployments.
+ If GatewayDeployment.Spec.Template.Metadata is non-nil, non-clashing labels and annotations from
+ that metadata are added into each deployment's pod template.
+ For customization of the pod template spec see GatewayDeploymentPodSpec.
+ properties:
+ metadata:
+ description: Metadata contains the standard Kubernetes
+ labels and annotations fields.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: |-
+ GatewayDeploymentPodSpec allows customization of the pod spec of gateway deployments.
+ If GatewayDeployment.Spec.Template.Spec.Affinity is non-nil, it sets the affinity field of each
+ deployment's pod template.
+ If GatewayDeployment.Spec.Template.Spec.NodeSelector is non-nil, it sets a node selector for
+ where gateway pods may be scheduled.
+ If GatewayDeployment.Spec.Template.Spec.Tolerations is non-nil, it sets the tolerations field of
+ each deployment's pod template.
+ If GatewayDeployment.Spec.Template.Spec.TopologySpreadConstraints is non-nil, it sets the
+ topology spread constraints of each deployment's pod template.
+ For customization of container resources see GatewayControllerDeploymentContainer.
+ properties:
+ affinity:
+ description: Affinity is a group of affinity scheduling
+ rules.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ items:
+ description: |-
+ GatewayDeploymentContainer allows customization of the resource requirements of gateway
+ deployments.
+ If GatewayDeployment.Spec.Template.Spec.Containers["envoy"].Resources is non-nil, it overrides
+ the ResourceRequirements of the "envoy" container in each gateway deployment.
+ properties:
+ name:
+ enum:
+ - envoy
+ type: string
+ resources:
+ description: ResourceRequirements describes
+ the compute resource requirements.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ tolerations:
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/operator.tigera.io_goldmanes_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: goldmanes.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: Goldmane
+ listKind: GoldmaneList
+ plural: goldmanes
+ singular: goldmane
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ goldmaneDeployment:
+ description: GoldmaneDeployment is the configuration for the goldmane
+ Deployment.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the goldmane Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the goldmane Deployment.
+ If omitted, the goldmane Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ strategy:
+ description: The deployment strategy to use to replace existing
+ pods with new ones.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ to be.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ template:
+ description: Template describes the goldmane Deployment pod
+ that will be created.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the goldmane Deployment's PodSpec.
+ properties:
+ affinity:
+ description: Affinity is a group of affinity scheduling
+ rules for the goldmane pods.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of goldmane containers.
+ If specified, this overrides the specified EGW Deployment containers.
+ If omitted, the goldmane Deployment will use its default values for its containers.
+ items:
+ properties:
+ name:
+ enum:
+ - goldmane
+ type: string
+ resources:
+ description: ResourceRequirements describes
+ the compute resource requirements.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: NodeSelector gives more control over
+ the nodes where the goldmane pods will run on.
+ type: object
+ priorityClassName:
+ description: PriorityClassName allows to specify a
+ PriorityClass resource to be used.
+ type: string
+ terminationGracePeriodSeconds:
+ description: TerminationGracePeriodSeconds defines
+ the termination grace period of the goldmane pods
+ in seconds.
+ format: int64
+ minimum: 0
+ type: integer
+ tolerations:
+ description: |-
+ Tolerations is the goldmane pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the goldmane Deployment.
+ If omitted, the goldmane Deployment will use its default value for tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ status:
+ description: GoldmaneStatus defines the observed state of Goldmane
+ properties:
+ conditions:
+ description: |-
+ Conditions represents the latest observed set of conditions for the component. A component may be one or more of
+ Ready, Progressing, Degraded or other customer types.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/operator.tigera.io_imagesets_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: imagesets.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: ImageSet
+ listKind: ImageSetList
+ plural: imagesets
+ singular: imageset
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ImageSet is used to specify image digests for the images that the operator deploys.
+ The name of the ImageSet is expected to be in the format `<variant>-<release>`.
+ The `variant` used is `enterprise` if the InstallationSpec Variant is
+ `TigeraSecureEnterprise` otherwise it is `calico`.
+ The `release` must match the version of the variant that the operator is built to deploy,
+ this version can be obtained by passing the `--version` flag to the operator binary.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ImageSetSpec defines the desired state of ImageSet.
+ properties:
+ images:
+ description: |-
+ Images is the list of images to use digests. All images that the operator will deploy
+ must be specified.
+ items:
+ properties:
+ digest:
+ description: |-
+ Digest is the image identifier that will be used for the Image.
+ The field should not include a leading `@` and must be prefixed with `sha256:`.
+ type: string
+ image:
+ description: |-
+ Image is an image that the operator deploys and instead of using the built in tag
+ the operator will use the Digest for the image identifier.
+ The value should be the *original* image name without registry or tag or digest.
+ For the image `docker.io/calico/node:v3.17.1` it should be represented as `calico/node`
+ The "Installation" spec allows defining custom image registries, paths or prefixes.
+ Even for custom images such as example.com/custompath/customprefix-calico-node:v3.17.1,
+ this value should still be `calico/node`.
+ type: string
+ required:
+ - digest
+ - image
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/operator.tigera.io_installations_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: installations.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: Installation
+ listKind: InstallationList
+ plural: installations
+ singular: installation
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Installation configures an installation of Calico or Calico Enterprise. At most one instance
+ of this resource is supported. It must be named "default". The Installation API installs core networking
+ and network policy components, and provides general install-time configuration.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired state for the Calico or Calico
+ Enterprise installation.
+ properties:
+ azure:
+ description: Azure is used to configure azure provider specific options.
+ properties:
+ policyMode:
+ default: Default
+ description: |-
+ PolicyMode determines whether the "control-plane" label is applied to namespaces. It offers two options: Default and Manual.
+ The Default option adds the "control-plane" label to the required namespaces.
+ The Manual option does not apply the "control-plane" label to any namespace.
+ Default: Default
+ enum:
+ - Default
+ - Manual
+ type: string
+ type: object
+ calicoKubeControllersDeployment:
+ description: |-
+ CalicoKubeControllersDeployment configures the calico-kube-controllers Deployment. If used in
+ conjunction with the deprecated ComponentResources, then these overrides take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-kube-controllers
+ Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-kube-controllers Deployment.
+ If omitted, the calico-kube-controllers Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-kube-controllers
+ Deployment pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-kube-controllers Deployment's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-kube-controllers pods.
+ If specified, this overrides any affinity that may be set on the calico-kube-controllers Deployment.
+ If omitted, the calico-kube-controllers Deployment will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-kube-controllers Deployment affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-kube-controllers containers.
+ If specified, this overrides the specified calico-kube-controllers Deployment containers.
+ If omitted, the calico-kube-controllers Deployment will use its default values for its containers.
+ items:
+ description: CalicoKubeControllersDeploymentContainer
+ is a calico-kube-controllers Deployment container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-kube-controllers Deployment container by name.
+ Supported values are: calico-kube-controllers, es-calico-kube-controllers
+ enum:
+ - calico-kube-controllers
+ - es-calico-kube-controllers
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-kube-controllers Deployment container's resources.
+ If omitted, the calico-kube-controllers Deployment will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-kube-controllers pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the calico-kube-controllers Deployment
+ and each of this field's key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-kube-controllers Deployment will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-kube-controllers Deployment nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-kube-controllers pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-kube-controllers Deployment.
+ If omitted, the calico-kube-controllers Deployment will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-kube-controllers Deployment tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ calicoNetwork:
+ description: CalicoNetwork specifies networking configuration options
+ for Calico.
+ properties:
+ bgp:
+ description: BGP configures whether or not to enable Calico's
+ BGP capabilities.
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ containerIPForwarding:
+ description: |-
+ ContainerIPForwarding configures whether ip forwarding will be enabled for containers in the CNI configuration.
+ Default: Disabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ hostPorts:
+ description: |-
+ HostPorts configures whether or not Calico will support Kubernetes HostPorts. Valid only when using the Calico CNI plugin.
+ Default: Enabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ ipPools:
+ description: |-
+ IPPools contains a list of IP pools to manage. If nil, a single IPv4 IP pool
+ will be created by the operator. If an empty list is provided, the operator will not create any IP pools and will instead
+ wait for IP pools to be created out-of-band.
+ IP pools in this list will be reconciled by the operator and should not be modified out-of-band.
+ items:
+ properties:
+ allowedUses:
+ description: |-
+ AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to
+ ["Tunnel", "Workload"] for back-compatibility
+ items:
+ type: string
+ type: array
+ assignmentMode:
+ description: AssignmentMode determines if IP addresses from
+ this pool should be assigned automatically or on request
+ only
+ type: string
+ blockSize:
+ description: |-
+ BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from
+ the main IP pool CIDR.
+ Default: 26 (IPv4), 122 (IPv6)
+ format: int32
+ type: integer
+ cidr:
+ description: CIDR contains the address range for the IP
+ Pool in classless inter-domain routing format.
+ type: string
+ disableBGPExport:
+ default: false
+ description: |-
+ DisableBGPExport specifies whether routes from this IP pool's CIDR are exported over BGP.
+ Default: false
+ type: boolean
+ disableNewAllocations:
+ description: |-
+ DisableNewAllocations specifies whether or not new IP allocations are allowed from this pool.
+ This is useful when you want to prevent new pods from receiving IP addresses from this pool, without
+ impacting any existing pods that have already been assigned addresses from this pool.
+ type: boolean
+ encapsulation:
+ description: |-
+ Encapsulation specifies the encapsulation type that will be used with
+ the IP Pool.
+ Default: IPIP
+ enum:
+ - IPIPCrossSubnet
+ - IPIP
+ - VXLAN
+ - VXLANCrossSubnet
+ - None
+ type: string
+ name:
+ description: Name is the name of the IP pool. If omitted,
+ this will be generated.
+ type: string
+ natOutgoing:
+ description: |-
+ NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic.
+ Default: Enabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ nodeSelector:
+ description: |-
+ NodeSelector specifies the node selector that will be set for the IP Pool.
+ Default: 'all()'
+ type: string
+ required:
+ - cidr
+ type: object
+ maxItems: 25
+ type: array
+ linuxDataplane:
+ description: |-
+ LinuxDataplane is used to select the dataplane used for Linux nodes. In particular, it
+ causes the operator to add required mounts and environment variables for the particular dataplane.
+ If not specified, iptables mode is used.
+ Default: Iptables
+ enum:
+ - Iptables
+ - BPF
+ - VPP
+ - Nftables
+ type: string
+ linuxPolicySetupTimeoutSeconds:
+ description: |-
+ LinuxPolicySetupTimeoutSeconds delays new pods from running containers
+ until their policy has been programmed in the dataplane.
+ The specified delay defines the maximum amount of time
+ that the Calico CNI plugin will wait for policy to be programmed.
+ Only applies to pods created on Linux nodes.
+ * A value of 0 disables pod startup delays.
+ Default: 0
+ format: int32
+ type: integer
+ mtu:
+ description: |-
+ MTU specifies the maximum transmission unit to use on the pod network.
+ If not specified, Calico will perform MTU auto-detection based on the cluster network.
+ format: int32
+ type: integer
+ multiInterfaceMode:
+ description: |-
+ MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations
+ using the Calico CNI plugin.
+ Default: None
+ enum:
+ - None
+ - Multus
+ type: string
+ nodeAddressAutodetectionV4:
+ description: |-
+ NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified,
+ will use default auto-detection settings to acquire an IPv4 address for each node.
+ properties:
+ canReach:
+ description: |-
+ CanReach enables IP auto-detection based on which source address on the node is used to reach the
+ specified IP or domain.
+ type: string
+ cidrs:
+ description: |-
+ CIDRS enables IP auto-detection based on which addresses on the nodes are within
+ one of the provided CIDRs.
+ items:
+ type: string
+ type: array
+ firstFound:
+ description: |-
+ FirstFound uses default interface matching parameters to select an interface, performing best-effort
+ filtering based on well-known interface names.
+ type: boolean
+ interface:
+ description: Interface enables IP auto-detection based on
+ interfaces that match the given regex.
+ type: string
+ kubernetes:
+ description: Kubernetes configures Calico to detect node addresses
+ based on the Kubernetes API.
+ enum:
+ - NodeInternalIP
+ type: string
+ skipInterface:
+ description: |-
+ SkipInterface enables IP auto-detection based on interfaces that do not match
+ the given regex.
+ type: string
+ type: object
+ nodeAddressAutodetectionV6:
+ description: |-
+ NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv6 addresses. If not specified,
+ IPv6 addresses will not be auto-detected.
+ properties:
+ canReach:
+ description: |-
+ CanReach enables IP auto-detection based on which source address on the node is used to reach the
+ specified IP or domain.
+ type: string
+ cidrs:
+ description: |-
+ CIDRS enables IP auto-detection based on which addresses on the nodes are within
+ one of the provided CIDRs.
+ items:
+ type: string
+ type: array
+ firstFound:
+ description: |-
+ FirstFound uses default interface matching parameters to select an interface, performing best-effort
+ filtering based on well-known interface names.
+ type: boolean
+ interface:
+ description: Interface enables IP auto-detection based on
+ interfaces that match the given regex.
+ type: string
+ kubernetes:
+ description: Kubernetes configures Calico to detect node addresses
+ based on the Kubernetes API.
+ enum:
+ - NodeInternalIP
+ type: string
+ skipInterface:
+ description: |-
+ SkipInterface enables IP auto-detection based on interfaces that do not match
+ the given regex.
+ type: string
+ type: object
+ sysctl:
+ description: Sysctl configures sysctl parameters for tuning plugin
+ items:
+ properties:
+ key:
+ enum:
+ - net.ipv4.tcp_keepalive_intvl
+ - net.ipv4.tcp_keepalive_probes
+ - net.ipv4.tcp_keepalive_time
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ windowsDataplane:
+ description: |-
+ WindowsDataplane is used to select the dataplane used for Windows nodes. In particular, it
+ causes the operator to add required mounts and environment variables for the particular dataplane.
+ If not specified, it is disabled and the operator will not render the Calico Windows nodes daemonset.
+ Default: Disabled
+ enum:
+ - HNS
+ - Disabled
+ type: string
+ type: object
+ calicoNodeDaemonSet:
+ description: |-
+ CalicoNodeDaemonSet configures the calico-node DaemonSet. If used in
+ conjunction with the deprecated ComponentResources, then these overrides take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the DaemonSet.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-node DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-node DaemonSet.
+ If omitted, the calico-node DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-node DaemonSet
+ pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-node DaemonSet's PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-node pods.
+ If specified, this overrides any affinity that may be set on the calico-node DaemonSet.
+ If omitted, the calico-node DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-node DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-node containers.
+ If specified, this overrides the specified calico-node DaemonSet containers.
+ If omitted, the calico-node DaemonSet will use its default values for its containers.
+ items:
+ description: CalicoNodeDaemonSetContainer is a calico-node
+ DaemonSet container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node DaemonSet container by name.
+ Supported values are: calico-node
+ enum:
+ - calico-node
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node DaemonSet container's resources.
+ If omitted, the calico-node DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of calico-node init containers.
+ If specified, this overrides the specified calico-node DaemonSet init containers.
+ If omitted, the calico-node DaemonSet will use its default values for its init containers.
+ items:
+ description: CalicoNodeDaemonSetInitContainer is
+ a calico-node DaemonSet init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node DaemonSet init container by name.
+ Supported values are: install-cni, hostpath-init, flexvol-driver, mount-bpffs, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner
+ enum:
+ - install-cni
+ - hostpath-init
+ - flexvol-driver
+ - mount-bpffs
+ - node-certs-key-cert-provisioner
+ - calico-node-prometheus-server-tls-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node DaemonSet init container's resources.
+ If omitted, the calico-node DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-node pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-node DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-node DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-node DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-node pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-node DaemonSet.
+ If omitted, the calico-node DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-node DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ calicoNodeWindowsDaemonSet:
+ description: CalicoNodeWindowsDaemonSet configures the calico-node-windows
+ DaemonSet.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the DaemonSet.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-node-windows
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-node-windows DaemonSet.
+ If omitted, the calico-node-windows DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-node-windows DaemonSet
+ pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-node-windows DaemonSet's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-node-windows pods.
+ If specified, this overrides any affinity that may be set on the calico-node-windows DaemonSet.
+ If omitted, the calico-node-windows DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-node-windows DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-node-windows containers.
+ If specified, this overrides the specified calico-node-windows DaemonSet containers.
+ If omitted, the calico-node-windows DaemonSet will use its default values for its containers.
+ items:
+ description: CalicoNodeWindowsDaemonSetContainer
+ is a calico-node-windows DaemonSet container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node-windows DaemonSet container by name.
+ Supported values are: calico-node-windows
+ enum:
+ - calico-node-windows
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node-windows DaemonSet container's resources.
+ If omitted, the calico-node-windows DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of calico-node-windows init containers.
+ If specified, this overrides the specified calico-node-windows DaemonSet init containers.
+ If omitted, the calico-node-windows DaemonSet will use its default values for its init containers.
+ items:
+ description: CalicoNodeWindowsDaemonSetInitContainer
+ is a calico-node-windows DaemonSet init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node-windows DaemonSet init container by name.
+ Supported values are: install-cni;hostpath-init, flexvol-driver, mount-bpffs, node-certs-key-cert-provisioner, calico-node-windows-prometheus-server-tls-key-cert-provisioner
+ enum:
+ - install-cni
+ - hostpath-init
+ - flexvol-driver
+ - mount-bpffs
+ - node-certs-key-cert-provisioner
+ - calico-node-windows-prometheus-server-tls-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node-windows DaemonSet init container's resources.
+ If omitted, the calico-node-windows DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-node-windows pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-node-windows DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-node-windows DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-node-windows DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-node-windows pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-node-windows DaemonSet.
+ If omitted, the calico-node-windows DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-node-windows DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ calicoWindowsUpgradeDaemonSet:
+ description: |-
+ Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated and will be removed from the API in the future.
+ CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade DaemonSet.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-windows-upgrade
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-windows-upgrade DaemonSet.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-windows-upgrade
+ DaemonSet pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-windows-upgrade DaemonSet's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-windows-upgrade pods.
+ If specified, this overrides any affinity that may be set on the calico-windows-upgrade DaemonSet.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-windows-upgrade containers.
+ If specified, this overrides the specified calico-windows-upgrade DaemonSet containers.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default values for its containers.
+ items:
+ description: CalicoWindowsUpgradeDaemonSetContainer
+ is a calico-windows-upgrade DaemonSet container.
+ properties:
+ name:
+ description: Name is an enum which identifies
+ the calico-windows-upgrade DaemonSet container
+ by name.
+ enum:
+ - calico-windows-upgrade
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-windows-upgrade DaemonSet container's resources.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for this container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-windows-upgrade pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-windows-upgrade DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-windows-upgrade DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-windows-upgrade pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-windows-upgrade DaemonSet.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ certificateManagement:
+ description: |-
+ CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order
+ to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise
+ pods will be stuck during initialization.
+ properties:
+ caCert:
+ description: Certificate of the authority that signs the CertificateSigningRequests
+ in PEM format.
+ format: byte
+ type: string
+ keyAlgorithm:
+ description: |-
+ Specify the algorithm used by pods to generate a key pair that is associated with the X.509 certificate request.
+ Default: RSAWithSize2048
+ enum:
+ - ""
+ - RSAWithSize2048
+ - RSAWithSize4096
+ - RSAWithSize8192
+ - ECDSAWithCurve256
+ - ECDSAWithCurve384
+ - ECDSAWithCurve521
+ type: string
+ signatureAlgorithm:
+ description: |-
+ Specify the algorithm used for the signature of the X.509 certificate request.
+ Default: SHA256WithRSA
+ enum:
+ - ""
+ - SHA256WithRSA
+ - SHA384WithRSA
+ - SHA512WithRSA
+ - ECDSAWithSHA256
+ - ECDSAWithSHA384
+ - ECDSAWithSHA512
+ type: string
+ signerName:
+ description: |-
+ When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request in order to accommodate for clusters
+ with multiple signers.
+ Must be formatted as: `<my-domain>/<my-signername>`.
+ type: string
+ required:
+ - caCert
+ - signerName
+ type: object
+ cni:
+ description: CNI specifies the CNI that will be used by this installation.
+ properties:
+ ipam:
+ description: |-
+ IPAM specifies the pod IP address management that will be used in the Calico or
+ Calico Enterprise installation.
+ properties:
+ type:
+ description: |-
+ Specifies the IPAM plugin that will be used in the Calico or Calico Enterprise installation.
+ * For CNI Plugin Calico, this field defaults to Calico.
+ * For CNI Plugin GKE, this field defaults to HostLocal.
+ * For CNI Plugin AzureVNET, this field defaults to AzureVNET.
+ * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC.
+ The IPAM plugin is installed and configured only if the CNI plugin is set to Calico,
+ for all other values of the CNI plugin the plugin binaries and CNI config is a dependency
+ that is expected to be installed separately.
+ Default: Calico
+ enum:
+ - Calico
+ - HostLocal
+ - AmazonVPC
+ - AzureVNET
+ type: string
+ required:
+ - type
+ type: object
+ type:
+ description: |-
+ Specifies the CNI plugin that will be used in the Calico or Calico Enterprise installation.
+ * For KubernetesProvider GKE, this field defaults to GKE.
+ * For KubernetesProvider AKS, this field defaults to AzureVNET.
+ * For KubernetesProvider EKS, this field defaults to AmazonVPC.
+ * If aws-node daemonset exists in kube-system when the Installation resource is created, this field defaults to AmazonVPC.
+ * For all other cases this field defaults to Calico.
+ For the value Calico, the CNI plugin binaries and CNI config will be installed as part of deployment,
+ for all other values the CNI plugin binaries and CNI config is a dependency that is expected
+ to be installed separately.
+ Default: Calico
+ enum:
+ - Calico
+ - GKE
+ - AmazonVPC
+ - AzureVNET
+ type: string
+ required:
+ - type
+ type: object
+ componentResources:
+ description: |-
+ Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, and KubeControllersDeployment.
+ ComponentResources can be used to customize the resource requirements for each component.
+ Node, Typha, and KubeControllers are supported for installations.
+ items:
+ description: |-
+ Deprecated. Please use component resource config fields in Installation.Spec instead.
+ The ComponentResource struct associates a ResourceRequirements with a component by name
+ properties:
+ componentName:
+ description: ComponentName is an enum which identifies the component
+ enum:
+ - Node
+ - Typha
+ - KubeControllers
+ type: string
+ resourceRequirements:
+ description: ResourceRequirements allows customization of limits
+ and requests for compute resources such as cpu and memory.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - componentName
+ - resourceRequirements
+ type: object
+ type: array
+ controlPlaneNodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico
+ components. This is globally applied to all resources created by the operator excluding daemonsets.
+ type: object
+ controlPlaneReplicas:
+ description: |-
+ ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed.
+ This field applies to all control plane components that support High Availability. Defaults to 2.
+ format: int32
+ type: integer
+ controlPlaneTolerations:
+ description: |-
+ ControlPlaneTolerations specify tolerations which are then globally applied to all resources
+ created by the operator.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ csiNodeDriverDaemonSet:
+ description: CSINodeDriverDaemonSet configures the csi-node-driver
+ DaemonSet.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the DaemonSet.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the csi-node-driver
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the csi-node-driver DaemonSet.
+ If omitted, the csi-node-driver DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the csi-node-driver DaemonSet
+ pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the csi-node-driver DaemonSet's PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the csi-node-driver pods.
+ If specified, this overrides any affinity that may be set on the csi-node-driver DaemonSet.
+ If omitted, the csi-node-driver DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default csi-node-driver DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of csi-node-driver containers.
+ If specified, this overrides the specified csi-node-driver DaemonSet containers.
+ If omitted, the csi-node-driver DaemonSet will use its default values for its containers.
+ items:
+ description: CSINodeDriverDaemonSetContainer is
+ a csi-node-driver DaemonSet container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the csi-node-driver DaemonSet container by name.
+ Supported values are: calico-csi, csi-node-driver-registrar.
+ enum:
+ - calico-csi
+ - csi-node-driver-registrar
+ - csi-node-driver
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named csi-node-driver DaemonSet container's resources.
+ If omitted, the csi-node-driver DaemonSet will use its default value for this container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the csi-node-driver pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the csi-node-driver DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the csi-node-driver DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default csi-node-driver DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the csi-node-driver pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the csi-node-driver DaemonSet.
+ If omitted, the csi-node-driver DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default csi-node-driver DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ fipsMode:
+ description: |-
+ FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards.
+ Only supported for Variant=Calico.
+ Default: Disabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ flexVolumePath:
+ description: |-
+ FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be
+ enabled by default. If set to 'None', FlexVolume will be disabled. The default is based on the
+ kubernetesProvider.
+ type: string
+ imagePath:
+ description: |-
+ ImagePath allows for the path part of an image to be specified. If specified
+ then the specified value will be used as the image path for each image. If not specified
+ or empty, the default for each image will be used.
+ A special case value, UseDefault, is supported to explicitly specify the default
+ image path will be used for each image.
+ Image format:
+ `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>`
+ This option allows configuring the `<imagePath>` portion of the above format.
+ type: string
+ imagePrefix:
+ description: |-
+ ImagePrefix allows for the prefix part of an image to be specified. If specified
+ then the given value will be used as a prefix on each image. If not specified
+ or empty, no prefix will be used.
+ A special case value, UseDefault, is supported to explicitly specify the default
+ image prefix will be used for each image.
+ Image format:
+ `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>`
+ This option allows configuring the `<imagePrefix>` portion of the above format.
+ type: string
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets is an array of references to container registry pull secrets to use. These are
+ applied to all images to be pulled.
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ kubeletVolumePluginPath:
+ description: |-
+ KubeletVolumePluginPath optionally specifies enablement of Calico CSI plugin. If not specified,
+ CSI will be enabled by default. If set to 'None', CSI will be disabled.
+ Default: /var/lib/kubelet
+ type: string
+ kubernetesProvider:
+ description: |-
+ KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration.
+ If the specified value is empty, the Operator will attempt to automatically determine the current provider.
+ If the specified value is not empty, the Operator will still attempt auto-detection, but
+ will additionally compare the auto-detected value to the specified value to confirm they match.
+ enum:
+ - ""
+ - EKS
+ - GKE
+ - AKS
+ - OpenShift
+ - DockerEnterprise
+ - RKE2
+ - TKG
+ type: string
+ logging:
+ description: Logging Configuration for Components
+ properties:
+ cni:
+ description: Customized logging specification for calico-cni plugin
+ properties:
+ logFileMaxAgeDays:
+ description: 'Default: 30 (days)'
+ format: int32
+ type: integer
+ logFileMaxCount:
+ description: 'Default: 10'
+ format: int32
+ type: integer
+ logFileMaxSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: 'Default: 100Mi'
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ logSeverity:
+ description: 'Default: Info'
+ enum:
+ - Error
+ - Warning
+ - Info
+ - Debug
+ type: string
+ type: object
+ type: object
+ nodeMetricsPort:
+ description: |-
+ NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled.
+ If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then
+ prometheus metrics may still be configured through FelixConfiguration.
+ format: int32
+ type: integer
+ nodeUpdateStrategy:
+ description: |-
+ NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable
+ field.
+ properties:
+ rollingUpdate:
+ description: Rolling update config params. Present only if type
+ = "RollingUpdate".
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of nodes with an existing available DaemonSet pod that
+ can have an updated DaemonSet pod during during an update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up to a minimum of 1.
+ Default value is 0.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their a new pod created before the old pod is marked as deleted.
+ The update starts by launching new pods on 30% of nodes. Once an updated
+ pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+ on that node is marked deleted. If the old pod becomes unavailable for any
+ reason (Ready transitions to false, is evicted, or is drained) an updated
+ pod is immediatedly created on that node without considering surge limits.
+ Allowing surge implies the possibility that the resources consumed by the
+ daemonset on any given node can double if the readiness check fails, and
+ so resource intensive daemonsets should take into account that they may
+ cause evictions during disruption.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of DaemonSet pods that can be unavailable during the
+ update. Value can be an absolute number (ex: 5) or a percentage of total
+ number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+ number is calculated from percentage by rounding up.
+ This cannot be 0 if MaxSurge is 0
+ Default value is 1.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their pods stopped for an update at any given time. The update
+ starts by stopping at most 30% of those DaemonSet pods and then brings
+ up new DaemonSet pods in their place. Once the new pods are available,
+ it then proceeds onto other DaemonSet pods, thus ensuring that at least
+ 70% of original number of DaemonSet pods are available at all times during
+ the update.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of daemon set update. Can be "RollingUpdate"
+ or "OnDelete". Default is RollingUpdate.
+ type: string
+ type: object
+ nonPrivileged:
+ description: NonPrivileged configures Calico to be run in non-privileged
+ containers as non-root users where possible.
+ type: string
+ proxy:
+ description: |-
+ Proxy is used to configure the HTTP(S) proxy settings that will be applied to Tigera containers that connect
+ to destinations outside the cluster. It is expected that NO_PROXY is configured such that destinations within
+ the cluster (including the API server) are exempt from proxying.
+ properties:
+ httpProxy:
+ description: |-
+ HTTPProxy defines the value of the HTTP_PROXY environment variable that will be set on Tigera containers that connect to
+ destinations outside the cluster.
+ type: string
+ httpsProxy:
+ description: |-
+ HTTPSProxy defines the value of the HTTPS_PROXY environment variable that will be set on Tigera containers that connect to
+ destinations outside the cluster.
+ type: string
+ noProxy:
+ description: |-
+ NoProxy defines the value of the NO_PROXY environment variable that will be set on Tigera containers that connect to
+ destinations outside the cluster. This value must be set such that destinations within the scope of the cluster, including
+ the Kubernetes API server, are exempt from being proxied.
+ type: string
+ type: object
+ registry:
+ description: |-
+ Registry is the default Docker registry used for component Docker images.
+ If specified then the given value must end with a slash character (`/`) and all images will be pulled from this registry.
+ If not specified then the default registries will be used. A special case value, UseDefault, is
+ supported to explicitly specify the default registries will be used.
+ Image format:
+ `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>`
+ This option allows configuring the `<registry>` portion of the above format.
+ type: string
+ serviceCIDRs:
+ description: Kubernetes Service CIDRs. Specifying this is required
+ when using Calico for Windows.
+ items:
+ type: string
+ type: array
+ typhaAffinity:
+ description: |-
+ Deprecated. Please use Installation.Spec.TyphaDeployment instead.
+ TyphaAffinity allows configuration of node affinity characteristics for Typha pods.
+ properties:
+ nodeAffinity:
+ description: NodeAffinity describes node affinity scheduling rules
+ for typha.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated with the
+ corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching the corresponding
+ nodeSelectorTerm, in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ WARNING: Please note that if the affinity requirements specified by this field are not met at
+ scheduling time, the pod will NOT be scheduled onto the node.
+ There is no fallback to another affinity rules with this setting.
+ This may cause networking disruption or even catastrophic failure!
+ PreferredDuringSchedulingIgnoredDuringExecution should be used for affinity
+ unless there is a specific well understood reason to use RequiredDuringSchedulingIgnoredDuringExecution and
+ you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution will always have sufficient nodes to satisfy the requirement.
+ NOTE: RequiredDuringSchedulingIgnoredDuringExecution is set by default for AKS nodes,
+ to avoid scheduling Typhas on virtual-nodes.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ typhaDeployment:
+ description: |-
+ TyphaDeployment configures the typha Deployment. If used in conjunction with the deprecated
+ ComponentResources or TyphaAffinity, then these overrides take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the typha Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the typha Deployment.
+ If omitted, the typha Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ strategy:
+ description: The deployment strategy to use to replace existing
+ pods with new ones.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ to be.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ template:
+ description: Template describes the typha Deployment pod that
+ will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the typha Deployment's PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the typha pods.
+ If specified, this overrides any affinity that may be set on the typha Deployment.
+ If omitted, the typha Deployment will use its default value for affinity.
+ If used in conjunction with the deprecated TyphaAffinity, then this value takes precedence.
+ WARNING: Please note that this field will override the default calico-typha Deployment affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of typha containers.
+ If specified, this overrides the specified typha Deployment containers.
+ If omitted, the typha Deployment will use its default values for its containers.
+ items:
+ description: TyphaDeploymentContainer is a typha
+ Deployment container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the typha Deployment container by name.
+ Supported values are: calico-typha
+ enum:
+ - calico-typha
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named typha Deployment container's resources.
+ If omitted, the typha Deployment will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of typha init containers.
+ If specified, this overrides the specified typha Deployment init containers.
+ If omitted, the typha Deployment will use its default values for its init containers.
+ items:
+ description: TyphaDeploymentInitContainer is a typha
+ Deployment init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the typha Deployment init container by name.
+ Supported values are: typha-certs-key-cert-provisioner
+ enum:
+ - typha-certs-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named typha Deployment init container's resources.
+ If omitted, the typha Deployment will use its default value for this init container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-typha pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-typha Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-typha Deployment will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-typha Deployment nodeSelector.
+ type: object
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ If this value is nil, the default grace period will be used instead.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ Defaults to 30 seconds.
+ format: int64
+ type: integer
+ tolerations:
+ description: |-
+ Tolerations is the typha pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the typha Deployment.
+ If omitted, the typha Deployment will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-typha Deployment tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ typhaMetricsPort:
+ description: TyphaMetricsPort specifies which port calico/typha serves
+ prometheus metrics on. By default, metrics are not enabled.
+ format: int32
+ type: integer
+ variant:
+ description: |-
+ Variant is the product to install - one of Calico or TigeraSecureEnterprise
+ Default: Calico
+ enum:
+ - Calico
+ - TigeraSecureEnterprise
+ type: string
+ windowsNodes:
+ description: Windows Configuration
+ properties:
+ cniBinDir:
+ description: |-
+ CNIBinDir is the path to the CNI binaries directory on Windows, it must match what is used as 'bin_dir' under
+ [plugins]
+ [plugins."io.containerd.grpc.v1.cri"]
+ [plugins."io.containerd.grpc.v1.cri".cni]
+ on the containerd 'config.toml' file on the Windows nodes.
+ type: string
+ cniConfigDir:
+ description: |-
+ CNIConfigDir is the path to the CNI configuration directory on Windows, it must match what is used as 'conf_dir' under
+ [plugins]
+ [plugins."io.containerd.grpc.v1.cri"]
+ [plugins."io.containerd.grpc.v1.cri".cni]
+ on the containerd 'config.toml' file on the Windows nodes.
+ type: string
+ cniLogDir:
+ description: CNILogDir is the path to the Calico CNI logs directory
+ on Windows.
+ type: string
+ vxlanAdapter:
+ description: VXLANAdapter is the Network Adapter used for VXLAN,
+ leave blank for primary NIC
+ type: string
+ vxlanMACPrefix:
+ description: VXLANMACPrefix is the prefix used when generating
+ MAC addresses for virtual NICs
+ pattern: ^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$
+ type: string
+ type: object
+ type: object
+ status:
+ description: Most recently observed state for the Calico or Calico Enterprise
+ installation.
+ properties:
+ calicoVersion:
+ description: |-
+ CalicoVersion shows the current running version of calico.
+ CalicoVersion along with Variant is needed to know the exact
+ version deployed.
+ type: string
+ computed:
+ description: Computed is the final installation including overlaid
+ resources.
+ properties:
+ azure:
+ description: Azure is used to configure azure provider specific
+ options.
+ properties:
+ policyMode:
+ default: Default
+ description: |-
+ PolicyMode determines whether the "control-plane" label is applied to namespaces. It offers two options: Default and Manual.
+ The Default option adds the "control-plane" label to the required namespaces.
+ The Manual option does not apply the "control-plane" label to any namespace.
+ Default: Default
+ enum:
+ - Default
+ - Manual
+ type: string
+ type: object
+ calicoKubeControllersDeployment:
+ description: |-
+ CalicoKubeControllersDeployment configures the calico-kube-controllers Deployment. If used in
+ conjunction with the deprecated ComponentResources, then these overrides take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-kube-controllers
+ Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-kube-controllers Deployment.
+ If omitted, the calico-kube-controllers Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-kube-controllers
+ Deployment pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-kube-controllers Deployment's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-kube-controllers pods.
+ If specified, this overrides any affinity that may be set on the calico-kube-controllers Deployment.
+ If omitted, the calico-kube-controllers Deployment will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-kube-controllers Deployment affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-kube-controllers containers.
+ If specified, this overrides the specified calico-kube-controllers Deployment containers.
+ If omitted, the calico-kube-controllers Deployment will use its default values for its containers.
+ items:
+ description: CalicoKubeControllersDeploymentContainer
+ is a calico-kube-controllers Deployment container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-kube-controllers Deployment container by name.
+ Supported values are: calico-kube-controllers, es-calico-kube-controllers
+ enum:
+ - calico-kube-controllers
+ - es-calico-kube-controllers
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-kube-controllers Deployment container's resources.
+ If omitted, the calico-kube-controllers Deployment will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-kube-controllers pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the calico-kube-controllers Deployment
+ and each of this field's key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-kube-controllers Deployment will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-kube-controllers Deployment nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-kube-controllers pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-kube-controllers Deployment.
+ If omitted, the calico-kube-controllers Deployment will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-kube-controllers Deployment tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ calicoNetwork:
+ description: CalicoNetwork specifies networking configuration
+ options for Calico.
+ properties:
+ bgp:
+ description: BGP configures whether or not to enable Calico's
+ BGP capabilities.
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ containerIPForwarding:
+ description: |-
+ ContainerIPForwarding configures whether ip forwarding will be enabled for containers in the CNI configuration.
+ Default: Disabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ hostPorts:
+ description: |-
+ HostPorts configures whether or not Calico will support Kubernetes HostPorts. Valid only when using the Calico CNI plugin.
+ Default: Enabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ ipPools:
+ description: |-
+ IPPools contains a list of IP pools to manage. If nil, a single IPv4 IP pool
+ will be created by the operator. If an empty list is provided, the operator will not create any IP pools and will instead
+ wait for IP pools to be created out-of-band.
+ IP pools in this list will be reconciled by the operator and should not be modified out-of-band.
+ items:
+ properties:
+ allowedUses:
+ description: |-
+ AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to
+ ["Tunnel", "Workload"] for back-compatibility
+ items:
+ type: string
+ type: array
+ assignmentMode:
+ description: AssignmentMode determines if IP addresses
+ from this pool should be assigned automatically or
+ on request only
+ type: string
+ blockSize:
+ description: |-
+ BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from
+ the main IP pool CIDR.
+ Default: 26 (IPv4), 122 (IPv6)
+ format: int32
+ type: integer
+ cidr:
+ description: CIDR contains the address range for the
+ IP Pool in classless inter-domain routing format.
+ type: string
+ disableBGPExport:
+ default: false
+ description: |-
+ DisableBGPExport specifies whether routes from this IP pool's CIDR are exported over BGP.
+ Default: false
+ type: boolean
+ disableNewAllocations:
+ description: |-
+ DisableNewAllocations specifies whether or not new IP allocations are allowed from this pool.
+ This is useful when you want to prevent new pods from receiving IP addresses from this pool, without
+ impacting any existing pods that have already been assigned addresses from this pool.
+ type: boolean
+ encapsulation:
+ description: |-
+ Encapsulation specifies the encapsulation type that will be used with
+ the IP Pool.
+ Default: IPIP
+ enum:
+ - IPIPCrossSubnet
+ - IPIP
+ - VXLAN
+ - VXLANCrossSubnet
+ - None
+ type: string
+ name:
+ description: Name is the name of the IP pool. If omitted,
+ this will be generated.
+ type: string
+ natOutgoing:
+ description: |-
+ NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic.
+ Default: Enabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ nodeSelector:
+ description: |-
+ NodeSelector specifies the node selector that will be set for the IP Pool.
+ Default: 'all()'
+ type: string
+ required:
+ - cidr
+ type: object
+ maxItems: 25
+ type: array
+ linuxDataplane:
+ description: |-
+ LinuxDataplane is used to select the dataplane used for Linux nodes. In particular, it
+ causes the operator to add required mounts and environment variables for the particular dataplane.
+ If not specified, iptables mode is used.
+ Default: Iptables
+ enum:
+ - Iptables
+ - BPF
+ - VPP
+ - Nftables
+ type: string
+ linuxPolicySetupTimeoutSeconds:
+ description: |-
+ LinuxPolicySetupTimeoutSeconds delays new pods from running containers
+ until their policy has been programmed in the dataplane.
+ The specified delay defines the maximum amount of time
+ that the Calico CNI plugin will wait for policy to be programmed.
+ Only applies to pods created on Linux nodes.
+ * A value of 0 disables pod startup delays.
+ Default: 0
+ format: int32
+ type: integer
+ mtu:
+ description: |-
+ MTU specifies the maximum transmission unit to use on the pod network.
+ If not specified, Calico will perform MTU auto-detection based on the cluster network.
+ format: int32
+ type: integer
+ multiInterfaceMode:
+ description: |-
+ MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations
+ using the Calico CNI plugin.
+ Default: None
+ enum:
+ - None
+ - Multus
+ type: string
+ nodeAddressAutodetectionV4:
+ description: |-
+ NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified,
+ will use default auto-detection settings to acquire an IPv4 address for each node.
+ properties:
+ canReach:
+ description: |-
+ CanReach enables IP auto-detection based on which source address on the node is used to reach the
+ specified IP or domain.
+ type: string
+ cidrs:
+ description: |-
+ CIDRS enables IP auto-detection based on which addresses on the nodes are within
+ one of the provided CIDRs.
+ items:
+ type: string
+ type: array
+ firstFound:
+ description: |-
+ FirstFound uses default interface matching parameters to select an interface, performing best-effort
+ filtering based on well-known interface names.
+ type: boolean
+ interface:
+ description: Interface enables IP auto-detection based
+ on interfaces that match the given regex.
+ type: string
+ kubernetes:
+ description: Kubernetes configures Calico to detect node
+ addresses based on the Kubernetes API.
+ enum:
+ - NodeInternalIP
+ type: string
+ skipInterface:
+ description: |-
+ SkipInterface enables IP auto-detection based on interfaces that do not match
+ the given regex.
+ type: string
+ type: object
+ nodeAddressAutodetectionV6:
+ description: |-
+ NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv6 addresses. If not specified,
+ IPv6 addresses will not be auto-detected.
+ properties:
+ canReach:
+ description: |-
+ CanReach enables IP auto-detection based on which source address on the node is used to reach the
+ specified IP or domain.
+ type: string
+ cidrs:
+ description: |-
+ CIDRS enables IP auto-detection based on which addresses on the nodes are within
+ one of the provided CIDRs.
+ items:
+ type: string
+ type: array
+ firstFound:
+ description: |-
+ FirstFound uses default interface matching parameters to select an interface, performing best-effort
+ filtering based on well-known interface names.
+ type: boolean
+ interface:
+ description: Interface enables IP auto-detection based
+ on interfaces that match the given regex.
+ type: string
+ kubernetes:
+ description: Kubernetes configures Calico to detect node
+ addresses based on the Kubernetes API.
+ enum:
+ - NodeInternalIP
+ type: string
+ skipInterface:
+ description: |-
+ SkipInterface enables IP auto-detection based on interfaces that do not match
+ the given regex.
+ type: string
+ type: object
+ sysctl:
+ description: Sysctl configures sysctl parameters for tuning
+ plugin
+ items:
+ properties:
+ key:
+ enum:
+ - net.ipv4.tcp_keepalive_intvl
+ - net.ipv4.tcp_keepalive_probes
+ - net.ipv4.tcp_keepalive_time
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ windowsDataplane:
+ description: |-
+ WindowsDataplane is used to select the dataplane used for Windows nodes. In particular, it
+ causes the operator to add required mounts and environment variables for the particular dataplane.
+ If not specified, it is disabled and the operator will not render the Calico Windows nodes daemonset.
+ Default: Disabled
+ enum:
+ - HNS
+ - Disabled
+ type: string
+ type: object
+ calicoNodeDaemonSet:
+ description: |-
+ CalicoNodeDaemonSet configures the calico-node DaemonSet. If used in
+ conjunction with the deprecated ComponentResources, then these overrides take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the DaemonSet.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-node
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-node DaemonSet.
+ If omitted, the calico-node DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-node DaemonSet
+ pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-node DaemonSet's PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-node pods.
+ If specified, this overrides any affinity that may be set on the calico-node DaemonSet.
+ If omitted, the calico-node DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-node DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-node containers.
+ If specified, this overrides the specified calico-node DaemonSet containers.
+ If omitted, the calico-node DaemonSet will use its default values for its containers.
+ items:
+ description: CalicoNodeDaemonSetContainer is
+ a calico-node DaemonSet container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node DaemonSet container by name.
+ Supported values are: calico-node
+ enum:
+ - calico-node
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node DaemonSet container's resources.
+ If omitted, the calico-node DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of calico-node init containers.
+ If specified, this overrides the specified calico-node DaemonSet init containers.
+ If omitted, the calico-node DaemonSet will use its default values for its init containers.
+ items:
+ description: CalicoNodeDaemonSetInitContainer
+ is a calico-node DaemonSet init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node DaemonSet init container by name.
+ Supported values are: install-cni, hostpath-init, flexvol-driver, mount-bpffs, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner
+ enum:
+ - install-cni
+ - hostpath-init
+ - flexvol-driver
+ - mount-bpffs
+ - node-certs-key-cert-provisioner
+ - calico-node-prometheus-server-tls-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node DaemonSet init container's resources.
+ If omitted, the calico-node DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-node pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-node DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-node DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-node DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-node pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-node DaemonSet.
+ If omitted, the calico-node DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-node DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ calicoNodeWindowsDaemonSet:
+ description: CalicoNodeWindowsDaemonSet configures the calico-node-windows
+ DaemonSet.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the DaemonSet.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-node-windows
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-node-windows DaemonSet.
+ If omitted, the calico-node-windows DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-node-windows
+ DaemonSet pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-node-windows DaemonSet's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-node-windows pods.
+ If specified, this overrides any affinity that may be set on the calico-node-windows DaemonSet.
+ If omitted, the calico-node-windows DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-node-windows DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-node-windows containers.
+ If specified, this overrides the specified calico-node-windows DaemonSet containers.
+ If omitted, the calico-node-windows DaemonSet will use its default values for its containers.
+ items:
+ description: CalicoNodeWindowsDaemonSetContainer
+ is a calico-node-windows DaemonSet container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node-windows DaemonSet container by name.
+ Supported values are: calico-node-windows
+ enum:
+ - calico-node-windows
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node-windows DaemonSet container's resources.
+ If omitted, the calico-node-windows DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of calico-node-windows init containers.
+ If specified, this overrides the specified calico-node-windows DaemonSet init containers.
+ If omitted, the calico-node-windows DaemonSet will use its default values for its init containers.
+ items:
+ description: CalicoNodeWindowsDaemonSetInitContainer
+ is a calico-node-windows DaemonSet init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the calico-node-windows DaemonSet init container by name.
+ Supported values are: install-cni;hostpath-init, flexvol-driver, mount-bpffs, node-certs-key-cert-provisioner, calico-node-windows-prometheus-server-tls-key-cert-provisioner
+ enum:
+ - install-cni
+ - hostpath-init
+ - flexvol-driver
+ - mount-bpffs
+ - node-certs-key-cert-provisioner
+ - calico-node-windows-prometheus-server-tls-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-node-windows DaemonSet init container's resources.
+ If omitted, the calico-node-windows DaemonSet will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-node-windows pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-node-windows DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-node-windows DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-node-windows DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-node-windows pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-node-windows DaemonSet.
+ If omitted, the calico-node-windows DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-node-windows DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ calicoWindowsUpgradeDaemonSet:
+ description: |-
+ Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated and will be removed from the API in the future.
+ CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade DaemonSet.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the calico-windows-upgrade
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the calico-windows-upgrade DaemonSet.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the calico-windows-upgrade
+ DaemonSet pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the calico-windows-upgrade DaemonSet's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the calico-windows-upgrade pods.
+ If specified, this overrides any affinity that may be set on the calico-windows-upgrade DaemonSet.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of calico-windows-upgrade containers.
+ If specified, this overrides the specified calico-windows-upgrade DaemonSet containers.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default values for its containers.
+ items:
+ description: CalicoWindowsUpgradeDaemonSetContainer
+ is a calico-windows-upgrade DaemonSet container.
+ properties:
+ name:
+ description: Name is an enum which identifies
+ the calico-windows-upgrade DaemonSet container
+ by name.
+ enum:
+ - calico-windows-upgrade
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named calico-windows-upgrade DaemonSet container's resources.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for this container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-windows-upgrade pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-windows-upgrade DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-windows-upgrade DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the calico-windows-upgrade pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the calico-windows-upgrade DaemonSet.
+ If omitted, the calico-windows-upgrade DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ certificateManagement:
+ description: |-
+ CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order
+ to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise
+ pods will be stuck during initialization.
+ properties:
+ caCert:
+ description: Certificate of the authority that signs the CertificateSigningRequests
+ in PEM format.
+ format: byte
+ type: string
+ keyAlgorithm:
+ description: |-
+ Specify the algorithm used by pods to generate a key pair that is associated with the X.509 certificate request.
+ Default: RSAWithSize2048
+ enum:
+ - ""
+ - RSAWithSize2048
+ - RSAWithSize4096
+ - RSAWithSize8192
+ - ECDSAWithCurve256
+ - ECDSAWithCurve384
+ - ECDSAWithCurve521
+ type: string
+ signatureAlgorithm:
+ description: |-
+ Specify the algorithm used for the signature of the X.509 certificate request.
+ Default: SHA256WithRSA
+ enum:
+ - ""
+ - SHA256WithRSA
+ - SHA384WithRSA
+ - SHA512WithRSA
+ - ECDSAWithSHA256
+ - ECDSAWithSHA384
+ - ECDSAWithSHA512
+ type: string
+ signerName:
+ description: |-
+ When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request in order to accommodate for clusters
+ with multiple signers.
+ Must be formatted as: `<my-domain>/<my-signername>`.
+ type: string
+ required:
+ - caCert
+ - signerName
+ type: object
+ cni:
+ description: CNI specifies the CNI that will be used by this installation.
+ properties:
+ ipam:
+ description: |-
+ IPAM specifies the pod IP address management that will be used in the Calico or
+ Calico Enterprise installation.
+ properties:
+ type:
+ description: |-
+ Specifies the IPAM plugin that will be used in the Calico or Calico Enterprise installation.
+ * For CNI Plugin Calico, this field defaults to Calico.
+ * For CNI Plugin GKE, this field defaults to HostLocal.
+ * For CNI Plugin AzureVNET, this field defaults to AzureVNET.
+ * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC.
+ The IPAM plugin is installed and configured only if the CNI plugin is set to Calico,
+ for all other values of the CNI plugin the plugin binaries and CNI config is a dependency
+ that is expected to be installed separately.
+ Default: Calico
+ enum:
+ - Calico
+ - HostLocal
+ - AmazonVPC
+ - AzureVNET
+ type: string
+ required:
+ - type
+ type: object
+ type:
+ description: |-
+ Specifies the CNI plugin that will be used in the Calico or Calico Enterprise installation.
+ * For KubernetesProvider GKE, this field defaults to GKE.
+ * For KubernetesProvider AKS, this field defaults to AzureVNET.
+ * For KubernetesProvider EKS, this field defaults to AmazonVPC.
+ * If aws-node daemonset exists in kube-system when the Installation resource is created, this field defaults to AmazonVPC.
+ * For all other cases this field defaults to Calico.
+ For the value Calico, the CNI plugin binaries and CNI config will be installed as part of deployment,
+ for all other values the CNI plugin binaries and CNI config is a dependency that is expected
+ to be installed separately.
+ Default: Calico
+ enum:
+ - Calico
+ - GKE
+ - AmazonVPC
+ - AzureVNET
+ type: string
+ required:
+ - type
+ type: object
+ componentResources:
+ description: |-
+ Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, and KubeControllersDeployment.
+ ComponentResources can be used to customize the resource requirements for each component.
+ Node, Typha, and KubeControllers are supported for installations.
+ items:
+ description: |-
+ Deprecated. Please use component resource config fields in Installation.Spec instead.
+ The ComponentResource struct associates a ResourceRequirements with a component by name
+ properties:
+ componentName:
+ description: ComponentName is an enum which identifies the
+ component
+ enum:
+ - Node
+ - Typha
+ - KubeControllers
+ type: string
+ resourceRequirements:
+ description: ResourceRequirements allows customization of
+ limits and requests for compute resources such as cpu
+ and memory.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry in
+ PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - componentName
+ - resourceRequirements
+ type: object
+ type: array
+ controlPlaneNodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico
+ components. This is globally applied to all resources created by the operator excluding daemonsets.
+ type: object
+ controlPlaneReplicas:
+ description: |-
+ ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed.
+ This field applies to all control plane components that support High Availability. Defaults to 2.
+ format: int32
+ type: integer
+ controlPlaneTolerations:
+ description: |-
+ ControlPlaneTolerations specify tolerations which are then globally applied to all resources
+ created by the operator.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ csiNodeDriverDaemonSet:
+ description: CSINodeDriverDaemonSet configures the csi-node-driver
+ DaemonSet.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the DaemonSet.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the csi-node-driver
+ DaemonSet.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the csi-node-driver DaemonSet.
+ If omitted, the csi-node-driver DaemonSet will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ template:
+ description: Template describes the csi-node-driver DaemonSet
+ pod that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the csi-node-driver DaemonSet's
+ PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the csi-node-driver pods.
+ If specified, this overrides any affinity that may be set on the csi-node-driver DaemonSet.
+ If omitted, the csi-node-driver DaemonSet will use its default value for affinity.
+ WARNING: Please note that this field will override the default csi-node-driver DaemonSet affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of csi-node-driver containers.
+ If specified, this overrides the specified csi-node-driver DaemonSet containers.
+ If omitted, the csi-node-driver DaemonSet will use its default values for its containers.
+ items:
+ description: CSINodeDriverDaemonSetContainer
+ is a csi-node-driver DaemonSet container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the csi-node-driver DaemonSet container by name.
+ Supported values are: calico-csi, csi-node-driver-registrar.
+ enum:
+ - calico-csi
+ - csi-node-driver-registrar
+ - csi-node-driver
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named csi-node-driver DaemonSet container's resources.
+ If omitted, the csi-node-driver DaemonSet will use its default value for this container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the csi-node-driver pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the csi-node-driver DaemonSet nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the csi-node-driver DaemonSet will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default csi-node-driver DaemonSet nodeSelector.
+ type: object
+ tolerations:
+ description: |-
+ Tolerations is the csi-node-driver pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the csi-node-driver DaemonSet.
+ If omitted, the csi-node-driver DaemonSet will use its default value for tolerations.
+ WARNING: Please note that this field will override the default csi-node-driver DaemonSet tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ fipsMode:
+ description: |-
+ FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards.
+ Only supported for Variant=Calico.
+ Default: Disabled
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ flexVolumePath:
+ description: |-
+ FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be
+ enabled by default. If set to 'None', FlexVolume will be disabled. The default is based on the
+ kubernetesProvider.
+ type: string
+ imagePath:
+ description: |-
+ ImagePath allows for the path part of an image to be specified. If specified
+ then the specified value will be used as the image path for each image. If not specified
+ or empty, the default for each image will be used.
+ A special case value, UseDefault, is supported to explicitly specify the default
+ image path will be used for each image.
+ Image format:
+ `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>`
+ This option allows configuring the `<imagePath>` portion of the above format.
+ type: string
+ imagePrefix:
+ description: |-
+ ImagePrefix allows for the prefix part of an image to be specified. If specified
+ then the given value will be used as a prefix on each image. If not specified
+ or empty, no prefix will be used.
+ A special case value, UseDefault, is supported to explicitly specify the default
+ image prefix will be used for each image.
+ Image format:
+ `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>`
+ This option allows configuring the `<imagePrefix>` portion of the above format.
+ type: string
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets is an array of references to container registry pull secrets to use. These are
+ applied to all images to be pulled.
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ kubeletVolumePluginPath:
+ description: |-
+ KubeletVolumePluginPath optionally specifies enablement of Calico CSI plugin. If not specified,
+ CSI will be enabled by default. If set to 'None', CSI will be disabled.
+ Default: /var/lib/kubelet
+ type: string
+ kubernetesProvider:
+ description: |-
+ KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration.
+ If the specified value is empty, the Operator will attempt to automatically determine the current provider.
+ If the specified value is not empty, the Operator will still attempt auto-detection, but
+ will additionally compare the auto-detected value to the specified value to confirm they match.
+ enum:
+ - ""
+ - EKS
+ - GKE
+ - AKS
+ - OpenShift
+ - DockerEnterprise
+ - RKE2
+ - TKG
+ type: string
+ logging:
+ description: Logging Configuration for Components
+ properties:
+ cni:
+ description: Customized logging specification for calico-cni
+ plugin
+ properties:
+ logFileMaxAgeDays:
+ description: 'Default: 30 (days)'
+ format: int32
+ type: integer
+ logFileMaxCount:
+ description: 'Default: 10'
+ format: int32
+ type: integer
+ logFileMaxSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: 'Default: 100Mi'
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ logSeverity:
+ description: 'Default: Info'
+ enum:
+ - Error
+ - Warning
+ - Info
+ - Debug
+ type: string
+ type: object
+ type: object
+ nodeMetricsPort:
+ description: |-
+ NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled.
+ If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then
+ prometheus metrics may still be configured through FelixConfiguration.
+ format: int32
+ type: integer
+ nodeUpdateStrategy:
+ description: |-
+ NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable
+ field.
+ properties:
+ rollingUpdate:
+ description: Rolling update config params. Present only if
+ type = "RollingUpdate".
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of nodes with an existing available DaemonSet pod that
+ can have an updated DaemonSet pod during during an update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up to a minimum of 1.
+ Default value is 0.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their a new pod created before the old pod is marked as deleted.
+ The update starts by launching new pods on 30% of nodes. Once an updated
+ pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+ on that node is marked deleted. If the old pod becomes unavailable for any
+ reason (Ready transitions to false, is evicted, or is drained) an updated
+ pod is immediatedly created on that node without considering surge limits.
+ Allowing surge implies the possibility that the resources consumed by the
+ daemonset on any given node can double if the readiness check fails, and
+ so resource intensive daemonsets should take into account that they may
+ cause evictions during disruption.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of DaemonSet pods that can be unavailable during the
+ update. Value can be an absolute number (ex: 5) or a percentage of total
+ number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+ number is calculated from percentage by rounding up.
+ This cannot be 0 if MaxSurge is 0
+ Default value is 1.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their pods stopped for an update at any given time. The update
+ starts by stopping at most 30% of those DaemonSet pods and then brings
+ up new DaemonSet pods in their place. Once the new pods are available,
+ it then proceeds onto other DaemonSet pods, thus ensuring that at least
+ 70% of original number of DaemonSet pods are available at all times during
+ the update.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of daemon set update. Can be "RollingUpdate"
+ or "OnDelete". Default is RollingUpdate.
+ type: string
+ type: object
+ nonPrivileged:
+ description: NonPrivileged configures Calico to be run in non-privileged
+ containers as non-root users where possible.
+ type: string
+ proxy:
+ description: |-
+ Proxy is used to configure the HTTP(S) proxy settings that will be applied to Tigera containers that connect
+ to destinations outside the cluster. It is expected that NO_PROXY is configured such that destinations within
+ the cluster (including the API server) are exempt from proxying.
+ properties:
+ httpProxy:
+ description: |-
+ HTTPProxy defines the value of the HTTP_PROXY environment variable that will be set on Tigera containers that connect to
+ destinations outside the cluster.
+ type: string
+ httpsProxy:
+ description: |-
+ HTTPSProxy defines the value of the HTTPS_PROXY environment variable that will be set on Tigera containers that connect to
+ destinations outside the cluster.
+ type: string
+ noProxy:
+ description: |-
+ NoProxy defines the value of the NO_PROXY environment variable that will be set on Tigera containers that connect to
+ destinations outside the cluster. This value must be set such that destinations within the scope of the cluster, including
+ the Kubernetes API server, are exempt from being proxied.
+ type: string
+ type: object
+ registry:
+ description: |-
+ Registry is the default Docker registry used for component Docker images.
+ If specified then the given value must end with a slash character (`/`) and all images will be pulled from this registry.
+ If not specified then the default registries will be used. A special case value, UseDefault, is
+ supported to explicitly specify the default registries will be used.
+ Image format:
+ `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>`
+ This option allows configuring the `<registry>` portion of the above format.
+ type: string
+ serviceCIDRs:
+ description: Kubernetes Service CIDRs. Specifying this is required
+ when using Calico for Windows.
+ items:
+ type: string
+ type: array
+ typhaAffinity:
+ description: |-
+ Deprecated. Please use Installation.Spec.TyphaDeployment instead.
+ TyphaAffinity allows configuration of node affinity characteristics for Typha pods.
+ properties:
+ nodeAffinity:
+ description: NodeAffinity describes node affinity scheduling
+ rules for typha.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated with
+ the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching the
+ corresponding nodeSelectorTerm, in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ WARNING: Please note that if the affinity requirements specified by this field are not met at
+ scheduling time, the pod will NOT be scheduled onto the node.
+ There is no fallback to another affinity rules with this setting.
+ This may cause networking disruption or even catastrophic failure!
+ PreferredDuringSchedulingIgnoredDuringExecution should be used for affinity
+ unless there is a specific well understood reason to use RequiredDuringSchedulingIgnoredDuringExecution and
+ you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution will always have sufficient nodes to satisfy the requirement.
+ NOTE: RequiredDuringSchedulingIgnoredDuringExecution is set by default for AKS nodes,
+ to avoid scheduling Typhas on virtual-nodes.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ typhaDeployment:
+ description: |-
+ TyphaDeployment configures the typha Deployment. If used in conjunction with the deprecated
+ ComponentResources or TyphaAffinity, then these overrides take precedence.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the typha Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the typha Deployment.
+ If omitted, the typha Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ strategy:
+ description: The deployment strategy to use to replace
+ existing pods with new ones.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ to be.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ template:
+ description: Template describes the typha Deployment pod
+ that will be created.
+ properties:
+ metadata:
+ description: |-
+ Metadata is a subset of a Kubernetes object's metadata that is added to
+ the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the typha Deployment's PodSpec.
+ properties:
+ affinity:
+ description: |-
+ Affinity is a group of affinity scheduling rules for the typha pods.
+ If specified, this overrides any affinity that may be set on the typha Deployment.
+ If omitted, the typha Deployment will use its default value for affinity.
+ If used in conjunction with the deprecated TyphaAffinity, then this value takes precedence.
+ WARNING: Please note that this field will override the default calico-typha Deployment affinity.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node
+ selector requirements by node's
+ labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node
+ selector requirements by node's
+ fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of typha containers.
+ If specified, this overrides the specified typha Deployment containers.
+ If omitted, the typha Deployment will use its default values for its containers.
+ items:
+ description: TyphaDeploymentContainer is a typha
+ Deployment container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the typha Deployment container by name.
+ Supported values are: calico-typha
+ enum:
+ - calico-typha
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named typha Deployment container's resources.
+ If omitted, the typha Deployment will use its default value for this container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of typha init containers.
+ If specified, this overrides the specified typha Deployment init containers.
+ If omitted, the typha Deployment will use its default values for its init containers.
+ items:
+ description: TyphaDeploymentInitContainer is
+ a typha Deployment init container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the typha Deployment init container by name.
+ Supported values are: typha-certs-key-cert-provisioner
+ enum:
+ - typha-certs-key-cert-provisioner
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named typha Deployment init container's resources.
+ If omitted, the typha Deployment will use its default value for this init container's resources.
+ If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is the calico-typha pod's scheduling constraints.
+ If specified, each of the key/value pairs are added to the calico-typha Deployment nodeSelector provided
+ the key does not already exist in the object's nodeSelector.
+ If omitted, the calico-typha Deployment will use its default value for nodeSelector.
+ WARNING: Please note that this field will modify the default calico-typha Deployment nodeSelector.
+ type: object
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ If this value is nil, the default grace period will be used instead.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ Defaults to 30 seconds.
+ format: int64
+ type: integer
+ tolerations:
+ description: |-
+ Tolerations is the typha pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the typha Deployment.
+ If omitted, the typha Deployment will use its default value for tolerations.
+ WARNING: Please note that this field will override the default calico-typha Deployment tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given
+ topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ typhaMetricsPort:
+ description: TyphaMetricsPort specifies which port calico/typha
+ serves prometheus metrics on. By default, metrics are not enabled.
+ format: int32
+ type: integer
+ variant:
+ description: |-
+ Variant is the product to install - one of Calico or TigeraSecureEnterprise
+ Default: Calico
+ enum:
+ - Calico
+ - TigeraSecureEnterprise
+ type: string
+ windowsNodes:
+ description: Windows Configuration
+ properties:
+ cniBinDir:
+ description: |-
+ CNIBinDir is the path to the CNI binaries directory on Windows, it must match what is used as 'bin_dir' under
+ [plugins]
+ [plugins."io.containerd.grpc.v1.cri"]
+ [plugins."io.containerd.grpc.v1.cri".cni]
+ on the containerd 'config.toml' file on the Windows nodes.
+ type: string
+ cniConfigDir:
+ description: |-
+ CNIConfigDir is the path to the CNI configuration directory on Windows, it must match what is used as 'conf_dir' under
+ [plugins]
+ [plugins."io.containerd.grpc.v1.cri"]
+ [plugins."io.containerd.grpc.v1.cri".cni]
+ on the containerd 'config.toml' file on the Windows nodes.
+ type: string
+ cniLogDir:
+ description: CNILogDir is the path to the Calico CNI logs
+ directory on Windows.
+ type: string
+ vxlanAdapter:
+ description: VXLANAdapter is the Network Adapter used for
+ VXLAN, leave blank for primary NIC
+ type: string
+ vxlanMACPrefix:
+ description: VXLANMACPrefix is the prefix used when generating
+ MAC addresses for virtual NICs
+ pattern: ^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$
+ type: string
+ type: object
+ type: object
+ conditions:
+ description: |-
+ Conditions represents the latest observed set of conditions for the component. A component may be one or more of
+ Ready, Progressing, Degraded or other customer types.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ imageSet:
+ description: |-
+ ImageSet is the name of the ImageSet being used, if there is an ImageSet
+ that is being used. If an ImageSet is not being used then this will not be set.
+ type: string
+ mtu:
+ description: |-
+ MTU is the most recently observed value for pod network MTU. This may be an explicitly
+ configured value, or based on Calico's native auto-detetion.
+ format: int32
+ type: integer
+ variant:
+ description: Variant is the most recently observed installed variant
+ - one of Calico or TigeraSecureEnterprise
+ enum:
+ - Calico
+ - TigeraSecureEnterprise
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/operator.tigera.io_managementclusterconnections_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: managementclusterconnections.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: ManagementClusterConnection
+ listKind: ManagementClusterConnectionList
+ plural: managementclusterconnections
+ singular: managementclusterconnection
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ManagementClusterConnection represents a link between a managed cluster and a management cluster. At most one
+ instance of this resource is supported. It must be named "tigera-secure".
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ManagementClusterConnectionSpec defines the desired state
+ of ManagementClusterConnection
+ properties:
+ guardianDeployment:
+ description: GuardianDeployment configures the guardian Deployment.
+ properties:
+ spec:
+ description: Spec is the specification of the guardian Deployment.
+ properties:
+ template:
+ description: Template describes the guardian Deployment pod
+ that will be created.
+ properties:
+ spec:
+ description: Spec is the guardian Deployment's PodSpec.
+ properties:
+ containers:
+ description: |-
+ Containers is a list of guardian containers.
+ If specified, this overrides the specified guardian Deployment containers.
+ If omitted, the guardian Deployment will use its default values for its containers.
+ items:
+ description: GuardianDeploymentContainer is a guardian
+ Deployment container.
+ properties:
+ name:
+ description: |-
+ Name is an enum which identifies the guardian Deployment container by name.
+ Supported values are: tigera-guardian
+ enum:
+ - tigera-guardian
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named guardian Deployment container's resources.
+ If omitted, the guardian Deployment will use its default value for this container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ initContainers:
+ description: |-
+ InitContainers is a list of guardian init containers.
+ If specified, this overrides the specified guardian Deployment init containers.
+ If omitted, the guardian Deployment will use its default values for its init containers.
+ items:
+ description: GuardianDeploymentInitContainer is
+ a guardian Deployment init container.
+ properties:
+ name:
+ description: Name is an enum which identifies
+ the guardian Deployment init container by
+ name.
+ type: string
+ resources:
+ description: |-
+ Resources allows customization of limits and requests for compute resources such as cpu and memory.
+ If specified, this overrides the named guardian Deployment init container's resources.
+ If omitted, the guardian Deployment will use its default value for this init container's resources.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ managementClusterAddr:
+ description: |-
+ Specify where the managed cluster can reach the management cluster. Ex.: "10.128.0.10:30449". A managed cluster
+ should be able to access this address. This field is used by managed clusters only.
+ type: string
+ tls:
+ description: TLS provides options for configuring how Managed Clusters
+ can establish an mTLS connection with the Management Cluster.
+ properties:
+ ca:
+ description: |-
+ CA indicates which verification method the tunnel client should use to verify the tunnel server's identity.
+ When left blank or set to 'Tigera', the tunnel client will expect a self-signed cert to be included in the certificate bundle
+ and will expect the cert to have a Common Name (CN) of 'voltron'.
+ When set to 'Public', the tunnel client will use its installed system certs and will use the managementClusterAddr to verify the tunnel server's identity.
+ Default: Tigera
+ enum:
+ - Tigera
+ - Public
+ type: string
+ type: object
+ type: object
+ status:
+ description: ManagementClusterConnectionStatus defines the observed state
+ of ManagementClusterConnection
+ properties:
+ conditions:
+ description: |-
+ Conditions represents the latest observed set of conditions for the component. A component may be one or more of
+ Ready, Progressing, Degraded or other customer types.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/operator.tigera.io_tigerastatuses_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: tigerastatuses.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: TigeraStatus
+ listKind: TigeraStatusList
+ plural: tigerastatuses
+ singular: tigerastatus
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - description: Whether the component running and stable.
+ jsonPath: .status.conditions[?(@.type=='Available')].status
+ name: Available
+ type: string
+ - description: Whether the component is processing changes.
+ jsonPath: .status.conditions[?(@.type=='Progressing')].status
+ name: Progressing
+ type: string
+ - description: Whether the component is degraded.
+ jsonPath: .status.conditions[?(@.type=='Degraded')].status
+ name: Degraded
+ type: string
+ - description: The time the component's Available status last changed.
+ jsonPath: .status.conditions[?(@.type=='Available')].lastTransitionTime
+ name: Since
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: TigeraStatus represents the most recently observed status for
+ Calico or a Calico Enterprise functional area.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TigeraStatusSpec defines the desired state of TigeraStatus
+ type: object
+ status:
+ description: TigeraStatusStatus defines the observed state of TigeraStatus
+ properties:
+ conditions:
+ description: |-
+ Conditions represents the latest observed set of conditions for this component. A component may be one or more of
+ Available, Progressing, or Degraded.
+ items:
+ description: TigeraStatusCondition represents a condition attached
+ to a particular component.
+ properties:
+ lastTransitionTime:
+ description: The timestamp representing the start time for the
+ current status.
+ format: date-time
+ type: string
+ message:
+ description: Optionally, a detailed message providing additional
+ context.
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the generation that the condition was set based upon.
+ For instance, if generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ type: integer
+ reason:
+ description: A brief reason explaining the condition.
+ type: string
+ status:
+ description: The status of the condition. May be True, False,
+ or Unknown.
+ type: string
+ type:
+ description: The type of condition. May be Available, Progressing,
+ or Degraded.
+ type: string
+ required:
+ - lastTransitionTime
+ - status
+ - type
+ type: object
+ type: array
+ required:
+ - conditions
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/operator.tigera.io_whiskers_crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: whiskers.operator.tigera.io
+spec:
+ group: operator.tigera.io
+ names:
+ kind: Whisker
+ listKind: WhiskerList
+ plural: whiskers
+ singular: whisker
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ notifications:
+ description: |-
+ Default: Enabled
+ This setting enables calls to an external API to retrieve notification banner text in the Whisker UI.
+ Allowed values are Enabled or Disabled. Defaults to Enabled.
+ type: string
+ whiskerDeployment:
+ description: WhiskerDeployment is the configuration for the whisker
+ Deployment.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's metadata
+ that is added to the Deployment.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the specification of the whisker Deployment.
+ properties:
+ minReadySeconds:
+ description: |-
+ MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should
+ be ready without any of its container crashing, for it to be considered available.
+ If specified, this overrides any minReadySeconds value that may be set on the whisker Deployment.
+ If omitted, the whisker Deployment will use its default value for minReadySeconds.
+ format: int32
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ strategy:
+ description: The deployment strategy to use to replace existing
+ pods with new ones.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ to be.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ template:
+ description: Template describes the whisker Deployment pod
+ that will be created.
+ properties:
+ metadata:
+ description: Metadata is a subset of a Kubernetes object's
+ metadata that is added to the pod's metadata.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations is a map of arbitrary non-identifying metadata. Each of these
+ key/value pairs are added to the object's annotations provided the key does not
+ already exist in the object's annotations.
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels is a map of string keys and values that may match replicaset and
+ service selectors. Each of these key/value pairs are added to the
+ object's labels provided the key does not already exist in the object's labels.
+ type: object
+ type: object
+ spec:
+ description: Spec is the whisker Deployment's PodSpec.
+ properties:
+ affinity:
+ description: Affinity is a group of affinity scheduling
+ rules for the whisker pods.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key <topologyKey> matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ containers:
+ description: |-
+ Containers is a list of whisker containers.
+ If specified, this overrides the specified EGW Deployment containers.
+ If omitted, the whisker Deployment will use its default values for its containers.
+ items:
+ properties:
+ name:
+ enum:
+ - whisker
+ - whisker-backend
+ type: string
+ resources:
+ description: ResourceRequirements describes
+ the compute resource requirements.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references
+ one entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: NodeSelector gives more control over
+ the nodes where the whisker pods will run on.
+ type: object
+ priorityClassName:
+ description: PriorityClassName allows to specify a
+ PriorityClass resource to be used.
+ type: string
+ terminationGracePeriodSeconds:
+ description: TerminationGracePeriodSeconds defines
+ the termination grace period of the whisker pods
+ in seconds.
+ format: int64
+ minimum: 0
+ type: integer
+ tolerations:
+ description: |-
+ Tolerations is the whisker pod's tolerations.
+ If specified, this overrides any tolerations that may be set on the whisker Deployment.
+ If omitted, the whisker Deployment will use its default value for tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ status:
+ description: WhiskerStatus defines the observed state of Whisker
+ properties:
+ conditions:
+ description: |-
+ Conditions represents the latest observed set of conditions for the component. A component may be one or more of
+ Ready, Progressing, Degraded or other customer types.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: crds/crd.projectcalico.org_bgpconfigurations.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: bgpconfigurations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BGPConfiguration
+ listKind: BGPConfigurationList
+ plural: bgpconfigurations
+ singular: bgpconfiguration
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: BGPConfiguration contains the configuration for any BGP routing.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BGPConfigurationSpec contains the values of the BGP configuration.
+ properties:
+ asNumber:
+ description: 'ASNumber is the default AS number used by a node. [Default:
+ 64512]'
+ format: int32
+ type: integer
+ bindMode:
+ description: |-
+ BindMode indicates whether to listen for BGP connections on all addresses (None)
+ or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP).
+ Default behaviour is to listen for BGP connections on all addresses.
+ type: string
+ communities:
+ description: Communities is a list of BGP community values and their
+ arbitrary names for tagging routes.
+ items:
+ description: Community contains standard or large community value
+ and its name.
+ properties:
+ name:
+ description: Name given to community value.
+ type: string
+ value:
+ description: |-
+ Value must be of format `aa:nn` or `aa:nn:mm`.
+ For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number.
+ For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number.
+ Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
+ pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
+ type: string
+ type: object
+ type: array
+ ignoredInterfaces:
+ description: IgnoredInterfaces indicates the network interfaces that
+ needs to be excluded when reading device routes.
+ items:
+ type: string
+ type: array
+ listenPort:
+ description: ListenPort is the port where BGP protocol should listen.
+ Defaults to 179
+ maximum: 65535
+ minimum: 1
+ type: integer
+ localWorkloadPeeringIPV4:
+ description: |-
+ The virtual IPv4 address of the node with which its local workload is expected to peer.
+ It is recommended to use a link-local address.
+ type: string
+ localWorkloadPeeringIPV6:
+ description: |-
+ The virtual IPv6 address of the node with which its local workload is expected to peer.
+ It is recommended to use a link-local address.
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which logs
+ are sent to the stdout. [Default: INFO]'
+ type: string
+ nodeMeshMaxRestartTime:
+ description: |-
+ Time to allow for software restart for node-to-mesh peerings. When specified, this is configured
+ as the graceful restart timeout. When not specified, the BIRD default of 120s is used.
+ This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled
+ type: string
+ nodeMeshPassword:
+ description: |-
+ Optional BGP password for full node-to-mesh peerings.
+ This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled
+ properties:
+ secretKeyRef:
+ description: Selects a key of a secret in the node pod's namespace.
+ properties:
+ key:
+ description: The key of the secret to select from. Must be
+ a valid secret key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret or its key must be
+ defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ nodeToNodeMeshEnabled:
+ description: 'NodeToNodeMeshEnabled sets whether full node to node
+ BGP mesh is enabled. [Default: true]'
+ type: boolean
+ prefixAdvertisements:
+ description: PrefixAdvertisements contains per-prefix advertisement
+ configuration.
+ items:
+ description: PrefixAdvertisement configures advertisement properties
+ for the specified CIDR.
+ properties:
+ cidr:
+ description: CIDR for which properties should be advertised.
+ type: string
+ communities:
+ description: |-
+ Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`.
+ For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number.
+ For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number.
+ Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ serviceClusterIPs:
+ description: |-
+ ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated.
+ If specified, Calico will advertise these blocks, as well as any cluster IPs within them.
+ items:
+ description: ServiceClusterIPBlock represents a single allowed ClusterIP
+ CIDR block.
+ properties:
+ cidr:
+ type: string
+ type: object
+ type: array
+ serviceExternalIPs:
+ description: |-
+ ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs.
+ Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks.
+ items:
+ description: ServiceExternalIPBlock represents a single allowed
+ External IP CIDR block.
+ properties:
+ cidr:
+ type: string
+ type: object
+ type: array
+ serviceLoadBalancerIPs:
+ description: |-
+ ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs.
+ Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks.
+ items:
+ description: ServiceLoadBalancerIPBlock represents a single allowed
+ LoadBalancer IP CIDR block.
+ properties:
+ cidr:
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_bgpfilters.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: bgpfilters.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BGPFilter
+ listKind: BGPFilterList
+ plural: bgpfilters
+ singular: bgpfilter
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of
+ the BGP Filter.
+ properties:
+ exportV4:
+ description: The ordered set of IPv4 BGPFilter rules acting on exporting
+ routes to a peer.
+ items:
+ description: BGPFilterRuleV4 defines a BGP filter rule consisting
+ a single IPv4 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ type: object
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ exportV6:
+ description: The ordered set of IPv6 BGPFilter rules acting on exporting
+ routes to a peer.
+ items:
+ description: BGPFilterRuleV6 defines a BGP filter rule consisting
+ a single IPv6 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ type: object
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ importV4:
+ description: The ordered set of IPv4 BGPFilter rules acting on importing
+ routes from a peer.
+ items:
+ description: BGPFilterRuleV4 defines a BGP filter rule consisting
+ a single IPv4 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ type: object
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ importV6:
+ description: The ordered set of IPv6 BGPFilter rules acting on importing
+ routes from a peer.
+ items:
+ description: BGPFilterRuleV6 defines a BGP filter rule consisting
+ a single IPv6 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ type: object
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_bgppeers.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: bgppeers.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BGPPeer
+ listKind: BGPPeerList
+ plural: bgppeers
+ singular: bgppeer
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BGPPeerSpec contains the specification for a BGPPeer resource.
+ properties:
+ asNumber:
+ description: The AS Number of the peer.
+ format: int32
+ type: integer
+ filters:
+ description: The ordered set of BGPFilters applied on this BGP peer.
+ items:
+ type: string
+ type: array
+ keepOriginalNextHop:
+ description: |-
+ Option to keep the original nexthop field when routes are sent to a BGP Peer.
+ Setting "true" configures the selected BGP Peers node to use the "next hop keep;"
+ instead of "next hop self;"(default) in the specific branch of the Node on "bird.cfg".
+ Note: that this field is deprecated. Users should use the NextHopMode field to control
+ the next hop attribute for a BGP peer.
+ type: boolean
+ localWorkloadSelector:
+ description: |-
+ Selector for the local workload that the node should peer with. When this is set, the peerSelector and peerIP fields must be empty,
+ and the ASNumber must not be empty.
+ type: string
+ maxRestartTime:
+ description: |-
+ Time to allow for software restart. When specified, this is configured as the graceful
+ restart timeout. When not specified, the BIRD default of 120s is used.
+ type: string
+ nextHopMode:
+ allOf:
+ - enum:
+ - Auto
+ - Self
+ - Keep
+ - enum:
+ - Auto
+ - Self
+ - Keep
+ description: |-
+ NextHopMode defines the method of calculating the next hop attribute for received routes.
+ This replaces and expands the deprecated KeepOriginalNextHop field.
+ Users should use this setting to control the next hop attribute for a BGP peer.
+ When this is set, the value of the KeepOriginalNextHop field is ignored.
+ if neither keepOriginalNextHop or nextHopMode is specified, BGP's default behaviour is used.
+ Set it to “Auto” to apply BGP’s default behaviour.
+ Set it to "Self" to configure "next hop self;" in "bird.cfg".
+ Set it to "Keep" to configure "next hop keep;" in "bird.cfg".
+ type: string
+ node:
+ description: |-
+ The node name identifying the Calico node instance that is targeted by this peer.
+ If this is not set, and no nodeSelector is specified, then this BGP peer selects all
+ nodes in the cluster.
+ type: string
+ nodeSelector:
+ description: |-
+ Selector for the nodes that should have this peering. When this is set, the Node
+ field must be empty.
+ type: string
+ numAllowedLocalASNumbers:
+ description: |-
+ Maximum number of local AS numbers that are allowed in the AS path for received routes.
+ This removes BGP loop prevention and should only be used if absolutely necessary.
+ format: int32
+ type: integer
+ password:
+ description: Optional BGP password for the peerings generated by this
+ BGPPeer resource.
+ properties:
+ secretKeyRef:
+ description: Selects a key of a secret in the node pod's namespace.
+ properties:
+ key:
+ description: The key of the secret to select from. Must be
+ a valid secret key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret or its key must be
+ defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ peerIP:
+ description: |-
+ The IP address of the peer followed by an optional port number to peer with.
+ If port number is given, format should be `[<IPv6>]:port` or `<IPv4>:<port>` for IPv4.
+ If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node
+ with ListenPort set in BGPConfiguration, then we use that port to peer.
+ type: string
+ peerSelector:
+ description: |-
+ Selector for the remote nodes to peer with. When this is set, the PeerIP and
+ ASNumber fields must be empty. For each peering between the local node and
+ selected remote nodes, we configure an IPv4 peering if both ends have
+ NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have
+ NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote
+ node's NodeBGPSpec.ASNumber, or the global default if that is not set.
+ type: string
+ reachableBy:
+ description: |-
+ Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping.
+ ReachableBy contains the address of the gateway which peer can be reached by.
+ type: string
+ reversePeering:
+ description: |-
+ ReversePeering, for peerings between Calico nodes controls whether
+ the reverse peering from nodes selected by peerSelector is generated
+ automatically. If set to Manual, a separate BGPPeer must be created
+ for the reverse peering. [Default: Auto]
+ enum:
+ - Auto
+ - Manual
+ type: string
+ sourceAddress:
+ description: |-
+ Specifies whether and how to configure a source address for the peerings generated by
+ this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the
+ source address. "None" means not to configure a source address.
+ type: string
+ ttlSecurity:
+ description: |-
+ TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by
+ ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops
+ (edges) between the peers.
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_blockaffinities.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: blockaffinities.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BlockAffinity
+ listKind: BlockAffinityList
+ plural: blockaffinities
+ singular: blockaffinity
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BlockAffinitySpec contains the specification for a BlockAffinity
+ resource.
+ properties:
+ cidr:
+ type: string
+ deleted:
+ description: |-
+ Deleted indicates that this block affinity is being deleted.
+ This field is a string for compatibility with older releases that
+ mistakenly treat this field as a string.
+ type: string
+ node:
+ type: string
+ state:
+ type: string
+ type:
+ type: string
+ required:
+ - cidr
+ - deleted
+ - node
+ - state
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_caliconodestatuses.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: caliconodestatuses.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: CalicoNodeStatus
+ listKind: CalicoNodeStatusList
+ plural: caliconodestatuses
+ singular: caliconodestatus
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
+ resource.
+ properties:
+ classes:
+ description: |-
+ Classes declares the types of information to monitor for this calico/node,
+ and allows for selective status reporting about certain subsets of information.
+ items:
+ type: string
+ type: array
+ node:
+ description: The node name identifies the Calico node instance for
+ node status.
+ type: string
+ updatePeriodSeconds:
+ description: |-
+ UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated.
+ Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day.
+ format: int32
+ type: integer
+ type: object
+ status:
+ description: |-
+ CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
+ No validation needed for status since it is updated by Calico.
+ properties:
+ agent:
+ description: Agent holds agent status on the node.
+ properties:
+ birdV4:
+ description: BIRDV4 represents the latest observed status of bird4.
+ properties:
+ lastBootTime:
+ description: LastBootTime holds the value of lastBootTime
+ from bird.ctl output.
+ type: string
+ lastReconfigurationTime:
+ description: LastReconfigurationTime holds the value of lastReconfigTime
+ from bird.ctl output.
+ type: string
+ routerID:
+ description: Router ID used by bird.
+ type: string
+ state:
+ description: The state of the BGP Daemon.
+ type: string
+ version:
+ description: Version of the BGP daemon
+ type: string
+ type: object
+ birdV6:
+ description: BIRDV6 represents the latest observed status of bird6.
+ properties:
+ lastBootTime:
+ description: LastBootTime holds the value of lastBootTime
+ from bird.ctl output.
+ type: string
+ lastReconfigurationTime:
+ description: LastReconfigurationTime holds the value of lastReconfigTime
+ from bird.ctl output.
+ type: string
+ routerID:
+ description: Router ID used by bird.
+ type: string
+ state:
+ description: The state of the BGP Daemon.
+ type: string
+ version:
+ description: Version of the BGP daemon
+ type: string
+ type: object
+ type: object
+ bgp:
+ description: BGP holds node BGP status.
+ properties:
+ numberEstablishedV4:
+ description: The total number of IPv4 established bgp sessions.
+ type: integer
+ numberEstablishedV6:
+ description: The total number of IPv6 established bgp sessions.
+ type: integer
+ numberNotEstablishedV4:
+ description: The total number of IPv4 non-established bgp sessions.
+ type: integer
+ numberNotEstablishedV6:
+ description: The total number of IPv6 non-established bgp sessions.
+ type: integer
+ peersV4:
+ description: PeersV4 represents IPv4 BGP peers status on the node.
+ items:
+ description: CalicoNodePeer contains the status of BGP peers
+ on the node.
+ properties:
+ peerIP:
+ description: IP address of the peer whose condition we are
+ reporting.
+ type: string
+ since:
+ description: Since the state or reason last changed.
+ type: string
+ state:
+ description: State is the BGP session state.
+ type: string
+ type:
+ description: |-
+ Type indicates whether this peer is configured via the node-to-node mesh,
+ or via en explicit global or per-node BGPPeer object.
+ type: string
+ type: object
+ type: array
+ peersV6:
+ description: PeersV6 represents IPv6 BGP peers status on the node.
+ items:
+ description: CalicoNodePeer contains the status of BGP peers
+ on the node.
+ properties:
+ peerIP:
+ description: IP address of the peer whose condition we are
+ reporting.
+ type: string
+ since:
+ description: Since the state or reason last changed.
+ type: string
+ state:
+ description: State is the BGP session state.
+ type: string
+ type:
+ description: |-
+ Type indicates whether this peer is configured via the node-to-node mesh,
+ or via en explicit global or per-node BGPPeer object.
+ type: string
+ type: object
+ type: array
+ required:
+ - numberEstablishedV4
+ - numberEstablishedV6
+ - numberNotEstablishedV4
+ - numberNotEstablishedV6
+ type: object
+ lastUpdated:
+ description: |-
+ LastUpdated is a timestamp representing the server time when CalicoNodeStatus object
+ last updated. It is represented in RFC3339 form and is in UTC.
+ format: date-time
+ nullable: true
+ type: string
+ routes:
+ description: Routes reports routes known to the Calico BGP daemon
+ on the node.
+ properties:
+ routesV4:
+ description: RoutesV4 represents IPv4 routes on the node.
+ items:
+ description: CalicoNodeRoute contains the status of BGP routes
+ on the node.
+ properties:
+ destination:
+ description: Destination of the route.
+ type: string
+ gateway:
+ description: Gateway for the destination.
+ type: string
+ interface:
+ description: Interface for the destination
+ type: string
+ learnedFrom:
+ description: LearnedFrom contains information regarding
+ where this route originated.
+ properties:
+ peerIP:
+ description: If sourceType is NodeMesh or BGPPeer, IP
+ address of the router that sent us this route.
+ type: string
+ sourceType:
+ description: Type of the source where a route is learned
+ from.
+ type: string
+ type: object
+ type:
+ description: Type indicates if the route is being used for
+ forwarding or not.
+ type: string
+ type: object
+ type: array
+ routesV6:
+ description: RoutesV6 represents IPv6 routes on the node.
+ items:
+ description: CalicoNodeRoute contains the status of BGP routes
+ on the node.
+ properties:
+ destination:
+ description: Destination of the route.
+ type: string
+ gateway:
+ description: Gateway for the destination.
+ type: string
+ interface:
+ description: Interface for the destination
+ type: string
+ learnedFrom:
+ description: LearnedFrom contains information regarding
+ where this route originated.
+ properties:
+ peerIP:
+ description: If sourceType is NodeMesh or BGPPeer, IP
+ address of the router that sent us this route.
+ type: string
+ sourceType:
+ description: Type of the source where a route is learned
+ from.
+ type: string
+ type: object
+ type:
+ description: Type indicates if the route is being used for
+ forwarding or not.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_clusterinformations.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: clusterinformations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: ClusterInformation
+ listKind: ClusterInformationList
+ plural: clusterinformations
+ singular: clusterinformation
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: ClusterInformation contains the cluster specific information.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ClusterInformationSpec contains the values of describing
+ the cluster.
+ properties:
+ calicoVersion:
+ description: CalicoVersion is the version of Calico that the cluster
+ is running
+ type: string
+ clusterGUID:
+ description: ClusterGUID is the GUID of the cluster
+ type: string
+ clusterType:
+ description: ClusterType describes the type of the cluster
+ type: string
+ datastoreReady:
+ description: |-
+ DatastoreReady is used during significant datastore migrations to signal to components
+ such as Felix that it should wait before accessing the datastore.
+ type: boolean
+ variant:
+ description: Variant declares which variant of Calico should be active.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_felixconfigurations.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: felixconfigurations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: FelixConfiguration
+ listKind: FelixConfigurationList
+ plural: felixconfigurations
+ singular: felixconfiguration
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: Felix Configuration contains the configuration for Felix.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FelixConfigurationSpec contains the values of the Felix configuration.
+ properties:
+ allowIPIPPacketsFromWorkloads:
+ description: |-
+ AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic
+ from workloads. [Default: false]
+ type: boolean
+ allowVXLANPacketsFromWorkloads:
+ description: |-
+ AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic
+ from workloads. [Default: false]
+ type: boolean
+ awsSrcDstCheck:
+ description: |-
+ AWSSrcDstCheck controls whether Felix will try to change the "source/dest check" setting on the EC2 instance
+ on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check
+ allows for sending workload traffic without encapsulation within the same AWS subnet.
+ [Default: DoNothing]
+ enum:
+ - DoNothing
+ - Enable
+ - Disable
+ type: string
+ bpfCTLBLogFilter:
+ description: |-
+ BPFCTLBLogFilter specifies, what is logged by connect time load balancer when BPFLogLevel is
+ debug. Currently has to be specified as 'all' when BPFLogFilters is set
+ to see CTLB logs.
+ [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.]
+ type: string
+ bpfConnectTimeLoadBalancing:
+ description: |-
+ BPFConnectTimeLoadBalancing when in BPF mode, controls whether Felix installs the connect-time load
+ balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services
+ and it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing
+ is available only for services with TCP ports. [Default: TCP]
+ enum:
+ - TCP
+ - Enabled
+ - Disabled
+ type: string
+ bpfConnectTimeLoadBalancingEnabled:
+ description: |-
+ BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load
+ balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services
+ and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging
+ purposes.
+
+ Deprecated: Use BPFConnectTimeLoadBalancing [Default: true]
+ type: boolean
+ bpfConntrackLogLevel:
+ description: |-
+ BPFConntrackLogLevel controls the log level of the BPF conntrack cleanup program, which runs periodically
+ to clean up expired BPF conntrack entries.
+ [Default: Off].
+ enum:
+ - "Off"
+ - Debug
+ type: string
+ bpfConntrackMode:
+ description: |-
+ BPFConntrackCleanupMode controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported,
+ falling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will
+ always use the BPF program (failing if not supported).
+ [Default: Auto]
+ enum:
+ - Auto
+ - Userspace
+ - BPFProgram
+ type: string
+ bpfConntrackTimeouts:
+ description: |-
+ BPFConntrackTimers overrides the default values for the specified conntrack timer if
+ set. Each value can be either a duration or `Auto` to pick the value from
+ a Linux conntrack timeout.
+
+ Configurable timers are: CreationGracePeriod, TCPSynSent,
+ TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout,
+ ICMPTimeout.
+
+ Unset values are replaced by the default values with a warning log for
+ incorrect values.
+ properties:
+ creationGracePeriod:
+ description: |2-
+ CreationGracePeriod gives a generic grace period to new connection
+ before they are considered for cleanup [Default: 10s].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ genericTimeout:
+ description: |-
+ GenericTimeout controls how long it takes before considering this
+ entry for cleanup after the connection became idle. If set to 'Auto', the
+ value from nf_conntrack_generic_timeout is used. If nil, Calico uses its
+ own default value. [Default: 10m].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ icmpTimeout:
+ description: |-
+ ICMPTimeout controls how long it takes before considering this
+ entry for cleanup after the connection became idle. If set to 'Auto', the
+ value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its
+ own default value. [Default: 5s].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ tcpEstablished:
+ description: |-
+ TCPEstablished controls how long it takes before considering this entry for
+ cleanup after the connection became idle. If set to 'Auto', the
+ value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses
+ its own default value. [Default: 1h].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ tcpFinsSeen:
+ description: |-
+ TCPFinsSeen controls how long it takes before considering this entry for
+ cleanup after the connection was closed gracefully. If set to 'Auto', the
+ value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses
+ its own default value. [Default: Auto].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ tcpResetSeen:
+ description: |-
+ TCPResetSeen controls how long it takes before considering this entry for
+ cleanup after the connection was aborted. If nil, Calico uses its own
+ default value. [Default: 40s].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ tcpSynSent:
+ description: |-
+ TCPSynSent controls how long it takes before considering this entry for
+ cleanup after the last SYN without a response. If set to 'Auto', the
+ value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses
+ its own default value. [Default: 20s].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ udpTimeout:
+ description: |-
+ UDPTimeout controls how long it takes before considering this entry for
+ cleanup after the connection became idle. If nil, Calico uses its own
+ default value. [Default: 60s].
+ pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
+ type: string
+ type: object
+ bpfDSROptoutCIDRs:
+ description: |-
+ BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients
+ in those CIDRs will access service node ports as if BPFExternalServiceMode was set to
+ Tunnel.
+ items:
+ type: string
+ type: array
+ bpfDataIfacePattern:
+ description: |-
+ BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to
+ in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic
+ flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the
+ cluster. It should not match the workload interfaces (usually named cali...) or any other special device managed
+ by Calico itself (e.g., tunnels).
+ type: string
+ bpfDisableGROForIfaces:
+ description: |-
+ BPFDisableGROForIfaces is a regular expression that controls which interfaces Felix should disable the
+ Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...).
+ type: string
+ bpfDisableUnprivileged:
+ description: |-
+ BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable
+ unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and
+ cannot insert their own BPF programs to interfere with Calico's. [Default: true]
+ type: boolean
+ bpfEnabled:
+ description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
+ [Default: false]'
+ type: boolean
+ bpfEnforceRPF:
+ description: |-
+ BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of
+ what is the per-interfaces or global setting. Possible values are Disabled, Strict
+ or Loose. [Default: Loose]
+ pattern: ^(?i)(Disabled|Strict|Loose)?$
+ type: string
+ bpfExcludeCIDRsFromNAT:
+ description: |-
+ BPFExcludeCIDRsFromNAT is a list of CIDRs that are to be excluded from NAT
+ resolution so that host can handle them. A typical usecase is node local
+ DNS cache.
+ items:
+ type: string
+ type: array
+ bpfExportBufferSizeMB:
+ description: |-
+ BPFExportBufferSizeMB in BPF mode, controls the buffer size used for sending BPF events to felix.
+ [Default: 1]
+ type: integer
+ bpfExtToServiceConnmark:
+ description: |-
+ BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an
+ external client to a local service. This mark allows us to control how packets of that
+ connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]
+ type: integer
+ bpfExternalServiceMode:
+ description: |-
+ BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports
+ and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic
+ is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic
+ is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress
+ node; this requires a permissive L2 network. [Default: Tunnel]
+ pattern: ^(?i)(Tunnel|DSR)?$
+ type: string
+ bpfForceTrackPacketsFromIfaces:
+ description: |-
+ BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces
+ to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be
+ tracked by Linux conntrack. Should only be used for interfaces that are not used for
+ the Calico fabric. For example, a docker bridge device for non-Calico-networked
+ containers. [Default: docker+]
+ items:
+ type: string
+ type: array
+ bpfHostConntrackBypass:
+ description: |-
+ BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for
+ workloads and services. [Default: true - bypass Linux conntrack]
+ type: boolean
+ bpfHostNetworkedNATWithoutCTLB:
+ description: |-
+ BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
+ determines the CTLB behavior. [Default: Enabled]
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ bpfKubeProxyEndpointSlicesEnabled:
+ description: |-
+ BPFKubeProxyEndpointSlicesEnabled is deprecated and has no effect. BPF
+ kube-proxy always accepts endpoint slices. This option will be removed in
+ the next release.
+ type: boolean
+ bpfKubeProxyIptablesCleanupEnabled:
+ description: |-
+ BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream
+ Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true]
+ type: boolean
+ bpfKubeProxyMinSyncPeriod:
+ description: |-
+ BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's
+ embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by
+ batching up more work. [Default: 1s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ bpfL3IfacePattern:
+ description: |-
+ BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
+ in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows
+ over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.
+ type: string
+ bpfLogFilters:
+ additionalProperties:
+ type: string
+ description: |-
+ BPFLogFilters is a map of key=values where the value is
+ a pcap filter expression and the key is an interface name with 'all'
+ denoting all interfaces, 'weps' all workload endpoints and 'heps' all host
+ endpoints.
+
+ When specified as an env var, it accepts a comma-separated list of
+ key=values.
+ [Default: unset - means all debug logs are emitted]
+ type: object
+ bpfLogLevel:
+ description: |-
+ BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or
+ "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`.
+ [Default: Off].
+ pattern: ^(?i)(Off|Info|Debug)?$
+ type: string
+ bpfMapSizeConntrack:
+ description: |-
+ BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold
+ an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.
+ type: integer
+ bpfMapSizeConntrackCleanupQueue:
+ description: |-
+ BPFMapSizeConntrackCleanupQueue sets the size for the map used to hold NAT conntrack entries that are queued
+ for cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval.
+ minimum: 1
+ type: integer
+ bpfMapSizeConntrackScaling:
+ description: |-
+ BPFMapSizeConntrackScaling controls whether and how we scale the conntrack map size depending
+ on its usage. 'Disabled' make the size stay at the default or whatever is set by
+ BPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even
+ after cleanups. [Default: DoubleIfFull]
+ pattern: ^(?i)(Disabled|DoubleIfFull)?$
+ type: string
+ bpfMapSizeIPSets:
+ description: |-
+ BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry
+ for each endpoint matched by every selector in the source/destination matches in network policy. Selectors
+ such as "all()" can result in large numbers of entries (one entry per endpoint in that case).
+ type: integer
+ bpfMapSizeIfState:
+ description: |-
+ BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry
+ for each device (host + workloads) on a host.
+ type: integer
+ bpfMapSizeNATAffinity:
+ description: |-
+ BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that
+ enable that feature.
+ type: integer
+ bpfMapSizeNATBackend:
+ description: |-
+ BPFMapSizeNATBackend sets the size for NAT back end map.
+ This is the total number of endpoints. This is mostly
+ more than the size of the number of services.
+ type: integer
+ bpfMapSizeNATFrontend:
+ description: |-
+ BPFMapSizeNATFrontend sets the size for NAT front end map.
+ FrontendMap should be large enough to hold an entry for each nodeport,
+ external IP and each port in each service.
+ type: integer
+ bpfMapSizePerCpuConntrack:
+ description: |-
+ BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a
+ non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`.
+ This map must be large enough to hold an entry for each active connection. Warning: changing the size of the
+ conntrack map can cause disruption.
+ type: integer
+ bpfMapSizeRoute:
+ description: |-
+ BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough
+ to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and
+ tunnel IPs).
+ type: integer
+ bpfPSNATPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port
+ collision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and
+ preferably outside the ephemeral ranges used by common operating systems. Linux uses
+ 32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily
+ a problem if this range overlaps with the operating systems. Both ends of the range are
+ inclusive. [Default: 20000:29999]
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ bpfPolicyDebugEnabled:
+ description: |-
+ BPFPolicyDebugEnabled when true, Felix records detailed information
+ about the BPF policy programs, which can be examined with the calico-bpf command-line tool.
+ type: boolean
+ bpfProfiling:
+ description: |-
+ BPFProfiling controls profiling of BPF programs. At the monent, it can be
+ Disabled or Enabled. [Default: Disabled]
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ bpfRedirectToPeer:
+ description: |-
+ BPFRedirectToPeer controls which whether it is allowed to forward straight to the
+ peer side of the workload devices. It is allowed for any host L2 devices by default
+ (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses
+ it on ingress. Value of Enabled also allows redirection from L3 host devices like
+ IPIP tunnel or Wireguard directly to the peer side of the workload's device. This
+ makes redirection faster, however, it breaks tools like tcpdump on the peer side.
+ Use Enabled with caution. [Default: L2Only]
+ enum:
+ - Enabled
+ - Disabled
+ - L2Only
+ type: string
+ chainInsertMode:
+ description: |-
+ ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule
+ at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents
+ Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains
+ signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.
+ [Default: insert]
+ pattern: ^(?i)(Insert|Append)?$
+ type: string
+ dataplaneDriver:
+ description: |-
+ DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver
+ is set to false.
+ type: string
+ dataplaneWatchdogTimeout:
+ description: |-
+ DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver.
+ Deprecated: replaced by the generic HealthTimeoutOverrides.
+ type: string
+ debugDisableLogDropping:
+ description: |-
+ DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can
+ significantly impact performance if log write-out is a bottleneck. [Default: false]
+ type: boolean
+ debugHost:
+ description: |-
+ DebugHost is the host IP or hostname to bind the debug port to. Only used
+ if DebugPort is set. [Default:localhost]
+ type: string
+ debugMemoryProfilePath:
+ description: DebugMemoryProfilePath is the path to write the memory
+ profile to when triggered by signal.
+ type: string
+ debugPort:
+ description: |-
+ DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles
+ to be retrieved. The debug port is not secure, it should not be exposed to the internet.
+ type: integer
+ debugSimulateCalcGraphHangAfter:
+ description: |-
+ DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration.
+ This is useful in tests of the watchdog system only!
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ debugSimulateDataplaneApplyDelay:
+ description: |-
+ DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for
+ simulating a heavily loaded system for test purposes only.
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ debugSimulateDataplaneHangAfter:
+ description: |-
+ DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration.
+ This is useful in tests of the watchdog system only!
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ defaultEndpointToHostAction:
+ description: |-
+ DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host
+ itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload
+ endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from
+ endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables
+ "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain
+ once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets
+ from workloads after processing workload endpoint egress policy. [Default: Drop]
+ pattern: ^(?i)(Drop|Accept|Return)?$
+ type: string
+ deviceRouteProtocol:
+ description: |-
+ DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label
+ used to identify the owner of the route.
+ type: integer
+ deviceRouteSourceAddress:
+ description: |-
+ DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set
+ the source address for local traffic from host to workload will be determined by the kernel.
+ type: string
+ deviceRouteSourceAddressIPv6:
+ description: |-
+ DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set
+ the source address for local traffic from host to workload will be determined by the kernel.
+ type: string
+ disableConntrackInvalidCheck:
+ description: |-
+ DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack
+ invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios.
+ type: boolean
+ endpointReportingDelay:
+ description: |-
+ EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used
+ by the OpenStack integration. [Default: 1s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ endpointReportingEnabled:
+ description: |-
+ EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used
+ by the OpenStack integration. [Default: false]
+ type: boolean
+ endpointStatusPathPrefix:
+ description: |-
+ EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status
+ file reporting is disabled if field is left empty.
+
+ Chosen directory should match the directory used by the CNI plugin for PodStartupDelay.
+ [Default: /var/run/calico]
+ type: string
+ externalNodesList:
+ description: |-
+ ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic
+ will be allowed. By default, external tunneled traffic is blocked to reduce attack surface.
+ items:
+ type: string
+ type: array
+ failsafeInboundHostPorts:
+ description: |-
+ FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will
+ allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally
+ cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified,
+ it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports,
+ use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API.
+ [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]
+ items:
+ description: ProtoPort is combination of protocol, port, and CIDR.
+ Protocol and port must be specified.
+ properties:
+ net:
+ type: string
+ port:
+ type: integer
+ protocol:
+ type: string
+ required:
+ - port
+ type: object
+ type: array
+ failsafeOutboundHostPorts:
+ description: |-
+ FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix
+ will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally
+ cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults
+ to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports,
+ use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd
+ as well as allowing DHCP, DNS, BGP and the Kubernetes API.
+ [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]
+ items:
+ description: ProtoPort is combination of protocol, port, and CIDR.
+ Protocol and port must be specified.
+ properties:
+ net:
+ type: string
+ port:
+ type: integer
+ protocol:
+ type: string
+ required:
+ - port
+ type: object
+ type: array
+ featureDetectOverride:
+ description: |-
+ FeatureDetectOverride is used to override feature detection based on auto-detected platform
+ capabilities. Values are specified in a comma separated list with no spaces, example;
+ "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will
+ force enable/disable feature, empty or omitted values fall back to auto-detection.
+ pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
+ type: string
+ featureGates:
+ description: |-
+ FeatureGates is used to enable or disable tech-preview Calico features.
+ Values are specified in a comma separated list with no spaces, example;
+ "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is
+ used to enable features that are not fully production ready.
+ pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
+ type: string
+ floatingIPs:
+ description: |-
+ FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived
+ floating IPs are always programmed, regardless of this setting.)
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ flowLogsCollectorDebugTrace:
+ description: |-
+ When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be
+ printed in their entirety.
+ type: boolean
+ flowLogsFlushInterval:
+ description: FlowLogsFlushInterval configures the interval at which
+ Felix exports flow logs.
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ flowLogsGoldmaneServer:
+ description: FlowLogGoldmaneServer is the flow server endpoint to
+ which flow data should be published.
+ type: string
+ flowLogsLocalReporter:
+ description: 'FlowLogsLocalReporter configures local unix socket for
+ reporting flow data from each node. [Default: Disabled]'
+ enum:
+ - Disabled
+ - Enabled
+ type: string
+ flowLogsPolicyEvaluationMode:
+ description: |-
+ Continuous - Felix evaluates active flows on a regular basis to determine the rule
+ traces in the flow logs. Any policy updates that impact a flow will be reflected in the
+ pending_policies field, offering a near-real-time view of policy changes across flows.
+ None - Felix stops evaluating pending traces.
+ [Default: Continuous]
+ enum:
+ - None
+ - Continuous
+ type: string
+ genericXDPEnabled:
+ description: |-
+ GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver
+ modes can use XDP. This is not recommended since it doesn't provide better performance than
+ iptables. [Default: false]
+ type: boolean
+ goGCThreshold:
+ description: |-
+ GoGCThreshold Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is
+ allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time
+ spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used
+ to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting.
+
+ This setting is overridden by the GOGC environment variable.
+
+ [Default: 40]
+ type: integer
+ goMaxProcs:
+ description: |-
+ GoMaxProcs sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means
+ "use the system default"; typically the number of real CPUs on the system.
+
+ this setting is overridden by the GOMAXPROCS environment variable.
+
+ [Default: -1]
+ type: integer
+ goMemoryLimitMB:
+ description: |-
+ GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory
+ usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to
+ take more than 50% of the process's CPU time. A value of -1 disables the memory limit.
+
+ Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container
+ or pod level. This is because felix is not the only process that must run in the container or pod.
+
+ This setting is overridden by the GOMEMLIMIT environment variable.
+
+ [Default: -1]
+ type: integer
+ healthEnabled:
+ description: |-
+ HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints.
+ [Default: false]
+ type: boolean
+ healthHost:
+ description: 'HealthHost is the host that the health server should
+ bind to. [Default: localhost]'
+ type: string
+ healthPort:
+ description: 'HealthPort is the TCP port that the health server should
+ bind to. [Default: 9099]'
+ type: integer
+ healthTimeoutOverrides:
+ description: |-
+ HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be
+ overridden. This is useful for working around "false positive" liveness timeouts that can occur
+ in particularly stressful workloads or if CPU is constrained. For a list of active
+ subcomponents, see Felix's logs.
+ items:
+ properties:
+ name:
+ type: string
+ timeout:
+ type: string
+ required:
+ - name
+ - timeout
+ type: object
+ type: array
+ interfaceExclude:
+ description: |-
+ InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving
+ host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you
+ want to exclude multiple interface names using a single value, the list supports regular expressions. For
+ regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude
+ all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0]
+ type: string
+ interfacePrefix:
+ description: |-
+ InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes
+ them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators
+ configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value,
+ and our OpenStack integration sets the 'tap' value. [Default: cali]
+ type: string
+ interfaceRefreshInterval:
+ description: |-
+ InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state.
+ The rescan can be disabled by setting the interval to 0.
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ ipForwarding:
+ description: |-
+ IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required
+ when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for
+ host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF
+ must be disabled. [Default: Enabled]
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ ipipEnabled:
+ description: |-
+ IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix
+ determines this based on the existing IP pools. [Default: nil (unset)]
+ type: boolean
+ ipipMTU:
+ description: |-
+ IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the
+ MTU of the host's interfaces. [Default: 0 (auto-detect)]
+ type: integer
+ ipsetsRefreshInterval:
+ description: |-
+ IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies.
+ Set to 0 to disable the periodic refresh. [Default: 90s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesBackend:
+ description: |-
+ IptablesBackend controls which backend of iptables will be used. The default is `Auto`.
+
+ Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These
+ should be cleaned up to avoid confusing interactions.
+ pattern: ^(?i)(Auto|Legacy|NFT)?$
+ type: string
+ iptablesFilterAllowAction:
+ description: |-
+ IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the
+ iptables filter table (which is used for "normal" policy). The default will immediately `Accept` the traffic. Use
+ `Return` to send the traffic back up to the system chains for further processing.
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ iptablesFilterDenyAction:
+ description: |-
+ IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic
+ with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here.
+ pattern: ^(?i)(Drop|Reject)?$
+ type: string
+ iptablesLockFilePath:
+ description: |-
+ IptablesLockFilePath is the location of the iptables lock file. You may need to change this
+ if the lock file is not in its standard location (for example if you have mapped it into Felix's
+ container at a different path). [Default: /run/xtables.lock]
+ type: string
+ iptablesLockProbeInterval:
+ description: |-
+ IptablesLockProbeInterval when IptablesLockTimeout is enabled: the time that Felix will wait between
+ attempts to acquire the iptables lock if it is not available. Lower values make Felix more
+ responsive when the lock is contended, but use more CPU. [Default: 50ms]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesLockTimeout:
+ description: |-
+ IptablesLockTimeout is the time that Felix itself will wait for the iptables lock (rather than delegating the
+ lock handling to the `iptables` command).
+
+ Deprecated: `iptables-restore` v1.8+ always takes the lock, so enabling this feature results in deadlock.
+ [Default: 0s disabled]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesMangleAllowAction:
+ description: |-
+ IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the
+ iptables mangle table (which is used for "pre-DNAT" policy). The default will immediately `Accept` the traffic.
+ Use `Return` to send the traffic back up to the system chains for further processing.
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ iptablesMarkMask:
+ description: |-
+ IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
+ number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
+ [Default: 0xffff0000]
+ format: int32
+ type: integer
+ iptablesNATOutgoingInterfaceFilter:
+ description: |-
+ This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a
+ Calico IPAM pool with "NAT outgoing" enabled. This can be useful if you have a main data interface, where
+ traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and
+ doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a
+ wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you
+ want to exclude the docker bridge, you could set this to eth+
+ type: string
+ iptablesPostWriteCheckInterval:
+ description: |-
+ IptablesPostWriteCheckInterval is the period after Felix has done a write
+ to the dataplane that it schedules an extra read back in order to check the write was not
+ clobbered by another process. This should only occur if another application on the system
+ doesn't respect the iptables lock. [Default: 1s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesRefreshInterval:
+ description: |-
+ IptablesRefreshInterval is the period at which Felix re-checks the IP sets
+ in the dataplane to ensure that no other process has accidentally broken Calico's rules.
+ Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the
+ other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel
+ version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value
+ to reduce Felix CPU usage. [Default: 10s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ ipv6Support:
+ description: IPv6Support controls whether Felix enables support for
+ IPv6 (if supported by the in-use dataplane).
+ type: boolean
+ kubeNodePortRanges:
+ description: |-
+ KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.
+ Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767].
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ logDebugFilenameRegex:
+ description: |-
+ LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs.
+ Only logs from files with names that match the given regular expression are included. The filter only applies
+ to Debug level logs.
+ type: string
+ logFilePath:
+ description: 'LogFilePath is the full path to the Felix log. Set to
+ none to disable file logging. [Default: /var/log/calico/felix.log]'
+ type: string
+ logPrefix:
+ description: 'LogPrefix is the log prefix that Felix uses when rendering
+ LOG rules. [Default: calico-packet]'
+ type: string
+ logSeverityFile:
+ description: 'LogSeverityFile is the log severity above which logs
+ are sent to the log file. [Default: Info]'
+ pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which logs
+ are sent to the stdout. [Default: Info]'
+ pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$
+ type: string
+ logSeveritySys:
+ description: |-
+ LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog.
+ [Default: Info]
+ pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$
+ type: string
+ maxIpsetSize:
+ description: |-
+ MaxIpsetSize is the maximum number of IP addresses that can be stored in an IP set. Not applicable
+ if using the nftables backend.
+ type: integer
+ metadataAddr:
+ description: |-
+ MetadataAddr is the IP address or domain name of the server that can answer VM queries for
+ cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in
+ Ubuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not
+ set up any NAT rule for the metadata path. [Default: 127.0.0.1]
+ type: string
+ metadataPort:
+ description: |-
+ MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if
+ not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
+ In most cases this should not need to be changed [Default: 8775].
+ type: integer
+ mtuIfacePattern:
+ description: |-
+ MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order
+ to calculate the host's MTU.
+ This should not match workload interfaces (usually named cali...).
+ type: string
+ natOutgoingAddress:
+ description: |-
+ NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that
+ is leaving the network. By default the address used is an address on the interface the traffic is leaving on
+ (i.e. it uses the iptables MASQUERADE target).
+ type: string
+ natPortRange:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the
+ network stack is used.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ netlinkTimeout:
+ description: |-
+ NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming
+ routes, rules, and other kernel objects. [Default: 10s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ nftablesFilterAllowAction:
+ description: |-
+ NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict
+ in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively,
+ `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules.
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ nftablesFilterDenyAction:
+ description: |-
+ NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico
+ blocks traffic with a "drop" action. If you want to use a "reject" action instead you can configure it here.
+ pattern: ^(?i)(Drop|Reject)?$
+ type: string
+ nftablesMangleAllowAction:
+ description: |-
+ NftablesMangleAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict
+ in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively,
+ `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules.
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ nftablesMarkMask:
+ description: |-
+ NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal
+ number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
+ [Default: 0xffff0000]
+ format: int32
+ type: integer
+ nftablesMode:
+ description: 'NFTablesMode configures nftables support in Felix. [Default:
+ Disabled]'
+ enum:
+ - Disabled
+ - Enabled
+ - Auto
+ type: string
+ nftablesRefreshInterval:
+ description: 'NftablesRefreshInterval controls the interval at which
+ Felix periodically refreshes the nftables rules. [Default: 90s]'
+ type: string
+ openstackRegion:
+ description: |-
+ OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region
+ Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel,
+ or in felix.cfg or the environment on each compute node), and must match the [calico]
+ openstack_region value configured in neutron.conf on each node. [Default: Empty]
+ type: string
+ policySyncPathPrefix:
+ description: |-
+ PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services,
+ like Application layer policy. [Default: Empty]
+ type: string
+ prometheusGoMetricsEnabled:
+ description: |-
+ PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when
+ set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
+ type: boolean
+ prometheusMetricsEnabled:
+ description: 'PrometheusMetricsEnabled enables the Prometheus metrics
+ server in Felix if set to true. [Default: false]'
+ type: boolean
+ prometheusMetricsHost:
+ description: 'PrometheusMetricsHost is the host that the Prometheus
+ metrics server should bind to. [Default: empty]'
+ type: string
+ prometheusMetricsPort:
+ description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+ metrics server should bind to. [Default: 9091]'
+ type: integer
+ prometheusProcessMetricsEnabled:
+ description: |-
+ PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when
+ set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
+ type: boolean
+ prometheusWireGuardMetricsEnabled:
+ description: |-
+ PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when
+ set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
+ type: boolean
+ removeExternalRoutes:
+ description: |-
+ RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will
+ always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must
+ use a distinct protocol (in addition to setting this field to false).
+ type: boolean
+ reportingInterval:
+ description: |-
+ ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable.
+ Must be non-zero in OpenStack deployments. [Default: 30s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ reportingTTL:
+ description: 'ReportingTTL is the time-to-live setting for process-wide
+ status reports. [Default: 90s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ routeRefreshInterval:
+ description: |-
+ RouteRefreshInterval is the period at which Felix re-checks the routes
+ in the dataplane to ensure that no other process has accidentally broken Calico's rules.
+ Set to 0 to disable route refresh. [Default: 90s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ routeSource:
+ description: |-
+ RouteSource configures where Felix gets its routing information.
+ - WorkloadIPs: use workload endpoints to construct routes.
+ - CalicoIPAM: the default - use IPAM data to construct routes.
+ pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
+ type: string
+ routeSyncDisabled:
+ description: |-
+ RouteSyncDisabled will disable all operations performed on the route table. Set to true to
+ run in network-policy mode only.
+ type: boolean
+ routeTableRange:
+ description: |-
+ Deprecated in favor of RouteTableRanges.
+ Calico programs additional Linux route tables for various purposes.
+ RouteTableRange specifies the indices of the route tables that Calico should use.
+ properties:
+ max:
+ type: integer
+ min:
+ type: integer
+ required:
+ - max
+ - min
+ type: object
+ routeTableRanges:
+ description: |-
+ Calico programs additional Linux route tables for various purposes.
+ RouteTableRanges specifies a set of table index ranges that Calico should use.
+ Deprecates`RouteTableRange`, overrides `RouteTableRange`.
+ items:
+ properties:
+ max:
+ type: integer
+ min:
+ type: integer
+ required:
+ - max
+ - min
+ type: object
+ type: array
+ serviceLoopPrevention:
+ description: |-
+ When service IP advertisement is enabled, prevent routing loops to service IPs that are
+ not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy.
+ Unless set to "Disabled", in which case such routing loops continue to be allowed.
+ [Default: Drop]
+ pattern: ^(?i)(Drop|Reject|Disabled)?$
+ type: string
+ sidecarAccelerationEnabled:
+ description: 'SidecarAccelerationEnabled enables experimental sidecar
+ acceleration [Default: false]'
+ type: boolean
+ usageReportingEnabled:
+ description: |-
+ UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage
+ server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true]
+ type: boolean
+ usageReportingInitialDelay:
+ description: 'UsageReportingInitialDelay controls the minimum delay
+ before Felix makes a report. [Default: 300s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ usageReportingInterval:
+ description: 'UsageReportingInterval controls the interval at which
+ Felix makes reports. [Default: 86400s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ useInternalDataplaneDriver:
+ description: |-
+ UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it
+ will launch an external dataplane driver and communicate with it over protobuf.
+ type: boolean
+ vxlanEnabled:
+ description: |-
+ VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking.
+ Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]
+ type: boolean
+ vxlanMTU:
+ description: |-
+ VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the
+ MTU of the host's interfaces. [Default: 0 (auto-detect)]
+ type: integer
+ vxlanMTUV6:
+ description: |-
+ VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the
+ MTU of the host's interfaces. [Default: 0 (auto-detect)]
+ type: integer
+ vxlanPort:
+ description: 'VXLANPort is the UDP port number to use for VXLAN traffic.
+ [Default: 4789]'
+ type: integer
+ vxlanVNI:
+ description: |-
+ VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is
+ in use on your system. [Default: 4096]
+ type: integer
+ windowsManageFirewallRules:
+ description: 'WindowsManageFirewallRules configures whether or not
+ Felix will program Windows Firewall rules (to allow inbound access
+ to its own metrics ports). [Default: Disabled]'
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ wireguardEnabled:
+ description: 'WireguardEnabled controls whether Wireguard is enabled
+ for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
+ [Default: false]'
+ type: boolean
+ wireguardEnabledV6:
+ description: 'WireguardEnabledV6 controls whether Wireguard is enabled
+ for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
+ [Default: false]'
+ type: boolean
+ wireguardHostEncryptionEnabled:
+ description: 'WireguardHostEncryptionEnabled controls whether Wireguard
+ host-to-host encryption is enabled. [Default: false]'
+ type: boolean
+ wireguardInterfaceName:
+ description: 'WireguardInterfaceName specifies the name to use for
+ the IPv4 Wireguard interface. [Default: wireguard.cali]'
+ type: string
+ wireguardInterfaceNameV6:
+ description: 'WireguardInterfaceNameV6 specifies the name to use for
+ the IPv6 Wireguard interface. [Default: wg-v6.cali]'
+ type: string
+ wireguardKeepAlive:
+ description: 'WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive
+ option. Set 0 to disable. [Default: 0]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ wireguardListeningPort:
+ description: 'WireguardListeningPort controls the listening port used
+ by IPv4 Wireguard. [Default: 51820]'
+ type: integer
+ wireguardListeningPortV6:
+ description: 'WireguardListeningPortV6 controls the listening port
+ used by IPv6 Wireguard. [Default: 51821]'
+ type: integer
+ wireguardMTU:
+ description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
+ interface. See Configuring MTU [Default: 1440]'
+ type: integer
+ wireguardMTUV6:
+ description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
+ interface. See Configuring MTU [Default: 1420]'
+ type: integer
+ wireguardRoutingRulePriority:
+ description: 'WireguardRoutingRulePriority controls the priority value
+ to use for the Wireguard routing rule. [Default: 99]'
+ type: integer
+ wireguardThreadingEnabled:
+ description: |-
+ WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false]
+ This increases the maximum number of packets a Wireguard interface can process.
+ Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core.
+ There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting
+ that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed.
+ Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI.
+ type: boolean
+ workloadSourceSpoofing:
+ description: |-
+ WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP
+ address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix.
+ pattern: ^(?i)(Disabled|Any)?$
+ type: string
+ xdpEnabled:
+ description: 'XDPEnabled enables XDP acceleration for suitable untracked
+ incoming deny rules. [Default: true]'
+ type: boolean
+ xdpRefreshInterval:
+ description: |-
+ XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no
+ other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to
+ disable XDP refresh. [Default: 90s]
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_globalnetworkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: globalnetworkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: GlobalNetworkPolicy
+ listKind: GlobalNetworkPolicyList
+ plural: globalnetworkpolicies
+ singular: globalnetworkpolicy
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ applyOnForward:
+ description: ApplyOnForward indicates to apply the rules in this policy
+ on forward traffic.
+ type: boolean
+ doNotTrack:
+ description: |-
+ DoNotTrack indicates whether packets matched by the rules in this policy should go through
+ the data plane's connection tracking, such as Linux conntrack. If True, the rules in
+ this policy are applied before any data plane connection tracking, and packets allowed by
+ this policy are marked as not to be tracked.
+ type: boolean
+ egress:
+ description: |-
+ The ordered set of egress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ ingress:
+ description: |-
+ The ordered set of ingress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ namespaceSelector:
+ description: NamespaceSelector is an optional field for an expression
+ used to select a pod based on namespaces.
+ type: string
+ order:
+ description: |-
+ Order is an optional field that specifies the order in which the policy is applied.
+ Policies with higher "order" are applied after those with lower
+ order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the
+ policy will be applied last. Policies with identical order will be applied in
+ alphanumerical order based on the Policy "Name" within the tier.
+ type: number
+ performanceHints:
+ description: |-
+ PerformanceHints contains a list of hints to Calico's policy engine to
+ help process the policy more efficiently. Hints never change the
+ enforcement behaviour of the policy.
+
+ Currently, the only available hint is "AssumeNeededOnEveryNode". When
+ that hint is set on a policy, Felix will act as if the policy matches
+ a local endpoint even if it does not. This is useful for "preloading"
+ any large static policies that are known to be used on every node.
+ If the policy is _not_ used on a particular node then the work
+ done to preload the policy (and to maintain it) is wasted.
+ items:
+ type: string
+ type: array
+ preDNAT:
+ description: PreDNAT indicates to apply the rules in this policy before
+ any DNAT.
+ type: boolean
+ selector:
+ description: "The selector is an expression used to pick out the endpoints
+ that the policy should\nbe applied to.\n\nSelector expressions follow
+ this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g.
+ my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not
+ equal; also matches if label is not present\n\tlabel in { \"a\",
+ \"b\", \"c\", ... } -> true if the value of label X is one of
+ \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... }
+ \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name)
+ \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr
+ && expr -> Short-circuit and\n\texpr || expr -> Short-circuit
+ or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector
+ -> matches all endpoints.\n\nLabel names are allowed to contain
+ alphanumerics, -, _ and /. String literals are more permissive\nbut
+ they do not support escape characters.\n\nExamples (with made-up
+ labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype
+ in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)"
+ type: string
+ serviceAccountSelector:
+ description: ServiceAccountSelector is an optional field for an expression
+ used to select a pod based on service accounts.
+ type: string
+ tier:
+ description: |-
+ The name of the tier that this policy belongs to. If this is omitted, the default
+ tier (name is "default") is assumed. The specified tier must exist in order to create
+ security policies within the tier, the "default" tier is created automatically if it
+ does not exist, this means for deployments requiring only a single Tier, the tier name
+ may be omitted on all policy management requests.
+ type: string
+ types:
+ description: |-
+ Types indicates whether this policy applies to ingress, or to egress, or to both. When
+ not explicitly specified (and so the value on creation is empty or nil), Calico defaults
+ Types according to what Ingress and Egress rules are present in the policy. The
+ default is:
+
+ - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
+ also no Ingress rules)
+
+ - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
+
+ - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
+
+ When the policy is read back again, Types will always be one of these values, never empty
+ or nil.
+ items:
+ description: PolicyType enumerates the possible values of the PolicySpec
+ Types field.
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_globalnetworksets.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: globalnetworksets.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: GlobalNetworkSet
+ listKind: GlobalNetworkSetList
+ plural: globalnetworksets
+ singular: globalnetworkset
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs that share labels to
+ allow rules to refer to them via selectors. The labels of GlobalNetworkSet are not namespaced.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: GlobalNetworkSetSpec contains the specification for a NetworkSet
+ resource.
+ properties:
+ nets:
+ description: The list of IP networks that belong to this set.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_hostendpoints.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: hostendpoints.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: HostEndpoint
+ listKind: HostEndpointList
+ plural: hostendpoints
+ singular: hostendpoint
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: HostEndpointSpec contains the specification for a HostEndpoint
+ resource.
+ properties:
+ expectedIPs:
+ description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.\nIf
+ \"InterfaceName\" is not present, Calico will look for an interface
+ matching any\nof the IPs in the list and apply policy to that.\nNote:\n\tWhen
+ using the selector match criteria in an ingress or egress security
+ Policy\n\tor Profile, Calico converts the selector into a set of
+ IP addresses. For host\n\tendpoints, the ExpectedIPs field is used
+ for that purpose. (If only the interface\n\tname is specified, Calico
+ does not learn the IPs of the interface for use in match\n\tcriteria.)"
+ items:
+ type: string
+ type: array
+ interfaceName:
+ description: |-
+ Either "*", or the name of a specific Linux interface to apply policy to; or empty. "*"
+ indicates that this HostEndpoint governs all traffic to, from or through the default
+ network namespace of the host named by the "Node" field; entering and leaving that
+ namespace via any interface, including those from/to non-host-networked local workloads.
+
+ If InterfaceName is not "*", this HostEndpoint only governs traffic that enters or leaves
+ the host through the specific interface named by InterfaceName, or - when InterfaceName
+ is empty - through the specific interface that has one of the IPs in ExpectedIPs.
+ Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only
+ external interfaces (such as "eth0") are supported here; it isn't possible for a
+ HostEndpoint to protect traffic through a specific local workload interface.
+
+ Note: Only some kinds of policy are implemented for "*" HostEndpoints; initially just
+ pre-DNAT policy. Please check Calico documentation for the latest position.
+ type: string
+ node:
+ description: The node name identifying the Calico node instance.
+ type: string
+ ports:
+ description: Ports contains the endpoint's named ports, which may
+ be referenced in security policy rules.
+ items:
+ properties:
+ name:
+ type: string
+ port:
+ type: integer
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ type: array
+ profiles:
+ description: |-
+ A list of identifiers of security Profile objects that apply to this endpoint. Each
+ profile is applied in the order that they appear in this list. Profile rules are applied
+ after the selector-based security policy.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_ipamblocks.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: ipamblocks.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPAMBlock
+ listKind: IPAMBlockList
+ plural: ipamblocks
+ singular: ipamblock
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPAMBlockSpec contains the specification for an IPAMBlock
+ resource.
+ properties:
+ affinity:
+ description: |-
+ Affinity of the block, if this block has one. If set, it will be of the form
+ "host:<hostname>". If not set, this block is not affine to a host.
+ type: string
+ allocations:
+ description: |-
+ Array of allocations in-use within this block. nil entries mean the allocation is free.
+ For non-nil entries at index i, the index is the ordinal of the allocation within this block
+ and the value is the index of the associated attributes in the Attributes array.
+ items:
+ type: integer
+ # TODO: This nullable is manually added in. We should update controller-gen
+ # to handle []*int properly itself.
+ nullable: true
+ type: array
+ attributes:
+ description: |-
+ Attributes is an array of arbitrary metadata associated with allocations in the block. To find
+ attributes for a given allocation, use the value of the allocation's entry in the Allocations array
+ as the index of the element in this array.
+ items:
+ properties:
+ handle_id:
+ type: string
+ secondary:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: array
+ cidr:
+ description: The block's CIDR.
+ type: string
+ deleted:
+ description: |-
+ Deleted is an internal boolean used to workaround a limitation in the Kubernetes API whereby
+ deletion will not return a conflict error if the block has been updated. It should not be set manually.
+ type: boolean
+ sequenceNumber:
+ default: 0
+ description: |-
+ We store a sequence number that is updated each time the block is written.
+ Each allocation will also store the sequence number of the block at the time of its creation.
+ When releasing an IP, passing the sequence number associated with the allocation allows us
+ to protect against a race condition and ensure the IP hasn't been released and re-allocated
+ since the release request.
+ format: int64
+ type: integer
+ sequenceNumberForAllocation:
+ additionalProperties:
+ format: int64
+ type: integer
+ description: |-
+ Map of allocated ordinal within the block to sequence number of the block at
+ the time of allocation. Kubernetes does not allow numerical keys for maps, so
+ the key is cast to a string.
+ type: object
+ strictAffinity:
+ description: StrictAffinity on the IPAMBlock is deprecated and no
+ longer used by the code. Use IPAMConfig StrictAffinity instead.
+ type: boolean
+ unallocated:
+ description: Unallocated is an ordered list of allocations which are
+ free in the block.
+ items:
+ type: integer
+ type: array
+ required:
+ - allocations
+ - attributes
+ - cidr
+ - strictAffinity
+ - unallocated
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_ipamconfigs.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: ipamconfigs.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPAMConfig
+ listKind: IPAMConfigList
+ plural: ipamconfigs
+ singular: ipamconfig
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPAMConfigSpec contains the specification for an IPAMConfig
+ resource.
+ properties:
+ autoAllocateBlocks:
+ type: boolean
+ maxBlocksPerHost:
+ description: |-
+ MaxBlocksPerHost, if non-zero, is the max number of blocks that can be
+ affine to each host.
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ strictAffinity:
+ type: boolean
+ required:
+ - autoAllocateBlocks
+ - strictAffinity
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_ipamhandles.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: ipamhandles.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPAMHandle
+ listKind: IPAMHandleList
+ plural: ipamhandles
+ singular: ipamhandle
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPAMHandleSpec contains the specification for an IPAMHandle
+ resource.
+ properties:
+ block:
+ additionalProperties:
+ type: integer
+ type: object
+ deleted:
+ type: boolean
+ handleID:
+ type: string
+ required:
+ - block
+ - handleID
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_ippools.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: ippools.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPPool
+ listKind: IPPoolList
+ plural: ippools
+ singular: ippool
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPPoolSpec contains the specification for an IPPool resource.
+ properties:
+ allowedUses:
+ description: |-
+ AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to
+ ["Tunnel", "Workload"] for back-compatibility
+ items:
+ type: string
+ type: array
+ assignmentMode:
+ description: Determines the mode how IP addresses should be assigned
+ from this pool
+ enum:
+ - Automatic
+ - Manual
+ type: string
+ blockSize:
+ description: The block size to use for IP address assignments from
+ this pool. Defaults to 26 for IPv4 and 122 for IPv6.
+ type: integer
+ cidr:
+ description: The pool CIDR.
+ type: string
+ disableBGPExport:
+ description: 'Disable exporting routes from this IP Pool''s CIDR over
+ BGP. [Default: false]'
+ type: boolean
+ disabled:
+ description: When disabled is true, Calico IPAM will not assign addresses
+ from this pool.
+ type: boolean
+ ipip:
+ description: |-
+ Deprecated: this field is only used for APIv1 backwards compatibility.
+ Setting this field is not allowed, this field is for internal use only.
+ properties:
+ enabled:
+ description: |-
+ When enabled is true, ipip tunneling will be used to deliver packets to
+ destinations within this pool.
+ type: boolean
+ mode:
+ description: |-
+ The IPIP mode. This can be one of "always" or "cross-subnet". A mode
+ of "always" will also use IPIP tunneling for routing to destination IP
+ addresses within this pool. A mode of "cross-subnet" will only use IPIP
+ tunneling when the destination node is on a different subnet to the
+ originating node. The default value (if not specified) is "always".
+ type: string
+ type: object
+ ipipMode:
+ description: |-
+ Contains configuration for IPIP tunneling for this pool. If not specified,
+ then this is defaulted to "Never" (i.e. IPIP tunneling is disabled).
+ type: string
+ nat-outgoing:
+ description: |-
+ Deprecated: this field is only used for APIv1 backwards compatibility.
+ Setting this field is not allowed, this field is for internal use only.
+ type: boolean
+ natOutgoing:
+ description: |-
+ When natOutgoing is true, packets sent from Calico networked containers in
+ this pool to destinations outside of this pool will be masqueraded.
+ type: boolean
+ nodeSelector:
+ description: Allows IPPool to allocate for a specific node by label
+ selector.
+ type: string
+ vxlanMode:
+ description: |-
+ Contains configuration for VXLAN tunneling for this pool. If not specified,
+ then this is defaulted to "Never" (i.e. VXLAN tunneling is disabled).
+ type: string
+ required:
+ - cidr
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_ipreservations.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: ipreservations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPReservation
+ listKind: IPReservationList
+ plural: ipreservations
+ singular: ipreservation
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPReservationSpec contains the specification for an IPReservation
+ resource.
+ properties:
+ reservedCIDRs:
+ description: ReservedCIDRs is a list of CIDRs and/or IP addresses
+ that Calico IPAM will exclude from new allocations.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_kubecontrollersconfigurations.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: kubecontrollersconfigurations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: KubeControllersConfiguration
+ listKind: KubeControllersConfigurationList
+ plural: kubecontrollersconfigurations
+ singular: kubecontrollersconfiguration
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: KubeControllersConfigurationSpec contains the values of the
+ Kubernetes controllers configuration.
+ properties:
+ controllers:
+ description: Controllers enables and configures individual Kubernetes
+ controllers
+ properties:
+ loadBalancer:
+ description: LoadBalancer enables and configures the LoadBalancer
+ controller. Enabled by default, set to nil to disable.
+ properties:
+ assignIPs:
+ type: string
+ type: object
+ namespace:
+ description: Namespace enables and configures the namespace controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ node:
+ description: Node enables and configures the node controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ hostEndpoint:
+ description: HostEndpoint controls syncing nodes to host endpoints.
+ Disabled by default, set to nil to disable.
+ properties:
+ autoCreate:
+ description: 'AutoCreate enables automatic creation of
+ host endpoints for every node. [Default: Disabled]'
+ type: string
+ createDefaultHostEndpoint:
+ type: string
+ templates:
+ description: Templates contains definition for creating
+ AutoHostEndpoints
+ items:
+ properties:
+ generateName:
+ description: GenerateName is appended to the end
+ of the generated AutoHostEndpoint name
+ type: string
+ interfaceCIDRs:
+ description: InterfaceCIDRs contains a list of CIRDs
+ used for matching nodeIPs to the AutoHostEndpoint
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels adds the specified labels to
+ the generated AutoHostEndpoint, labels from node
+ with the same name will be overwritten by values
+ from the template label
+ type: object
+ nodeSelector:
+ description: NodeSelector allows the AutoHostEndpoint
+ to be created only for specific nodes
+ type: string
+ type: object
+ type: array
+ type: object
+ leakGracePeriod:
+ description: |-
+ LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked.
+ Set to 0 to disable IP garbage collection. [Default: 15m]
+ type: string
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ syncLabels:
+ description: 'SyncLabels controls whether to copy Kubernetes
+ node labels to Calico nodes. [Default: Enabled]'
+ type: string
+ type: object
+ policy:
+ description: Policy enables and configures the policy controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ serviceAccount:
+ description: ServiceAccount enables and configures the service
+ account controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ workloadEndpoint:
+ description: WorkloadEndpoint enables and configures the workload
+ endpoint controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ type: object
+ debugProfilePort:
+ description: |-
+ DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling
+ is disabled.
+ format: int32
+ type: integer
+ etcdV3CompactionPeriod:
+ description: 'EtcdV3CompactionPeriod is the period between etcdv3
+ compaction requests. Set to 0 to disable. [Default: 10m]'
+ type: string
+ healthChecks:
+ description: 'HealthChecks enables or disables support for health
+ checks [Default: Enabled]'
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which logs
+ are sent to the stdout. [Default: Info]'
+ type: string
+ prometheusMetricsPort:
+ description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+ metrics server should bind to. Set to 0 to disable. [Default: 9094]'
+ type: integer
+ required:
+ - controllers
+ type: object
+ status:
+ description: |-
+ KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to
+ be able to see the actual config that was applied, which can be modified by environment variables on the
+ kube-controllers process.
+ properties:
+ environmentVars:
+ additionalProperties:
+ type: string
+ description: |-
+ EnvironmentVars contains the environment variables on the kube-controllers that influenced
+ the RunningConfig.
+ type: object
+ runningConfig:
+ description: |-
+ RunningConfig contains the effective config that is running in the kube-controllers pod, after
+ merging the API resource with any environment variables.
+ properties:
+ controllers:
+ description: Controllers enables and configures individual Kubernetes
+ controllers
+ properties:
+ loadBalancer:
+ description: LoadBalancer enables and configures the LoadBalancer
+ controller. Enabled by default, set to nil to disable.
+ properties:
+ assignIPs:
+ type: string
+ type: object
+ namespace:
+ description: Namespace enables and configures the namespace
+ controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ node:
+ description: Node enables and configures the node controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ hostEndpoint:
+ description: HostEndpoint controls syncing nodes to host
+ endpoints. Disabled by default, set to nil to disable.
+ properties:
+ autoCreate:
+ description: 'AutoCreate enables automatic creation
+ of host endpoints for every node. [Default: Disabled]'
+ type: string
+ createDefaultHostEndpoint:
+ type: string
+ templates:
+ description: Templates contains definition for creating
+ AutoHostEndpoints
+ items:
+ properties:
+ generateName:
+ description: GenerateName is appended to the
+ end of the generated AutoHostEndpoint name
+ type: string
+ interfaceCIDRs:
+ description: InterfaceCIDRs contains a list
+ of CIRDs used for matching nodeIPs to the
+ AutoHostEndpoint
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels adds the specified labels
+ to the generated AutoHostEndpoint, labels
+ from node with the same name will be overwritten
+ by values from the template label
+ type: object
+ nodeSelector:
+ description: NodeSelector allows the AutoHostEndpoint
+ to be created only for specific nodes
+ type: string
+ type: object
+ type: array
+ type: object
+ leakGracePeriod:
+ description: |-
+ LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked.
+ Set to 0 to disable IP garbage collection. [Default: 15m]
+ type: string
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ syncLabels:
+ description: 'SyncLabels controls whether to copy Kubernetes
+ node labels to Calico nodes. [Default: Enabled]'
+ type: string
+ type: object
+ policy:
+ description: Policy enables and configures the policy controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ serviceAccount:
+ description: ServiceAccount enables and configures the service
+ account controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ workloadEndpoint:
+ description: WorkloadEndpoint enables and configures the workload
+ endpoint controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ type: object
+ debugProfilePort:
+ description: |-
+ DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling
+ is disabled.
+ format: int32
+ type: integer
+ etcdV3CompactionPeriod:
+ description: 'EtcdV3CompactionPeriod is the period between etcdv3
+ compaction requests. Set to 0 to disable. [Default: 10m]'
+ type: string
+ healthChecks:
+ description: 'HealthChecks enables or disables support for health
+ checks [Default: Enabled]'
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which
+ logs are sent to the stdout. [Default: Info]'
+ type: string
+ prometheusMetricsPort:
+ description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+ metrics server should bind to. Set to 0 to disable. [Default:
+ 9094]'
+ type: integer
+ required:
+ - controllers
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_networkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: networkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: NetworkPolicy
+ listKind: NetworkPolicyList
+ plural: networkpolicies
+ singular: networkpolicy
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ egress:
+ description: |-
+ The ordered set of egress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ ingress:
+ description: |-
+ The ordered set of ingress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ order:
+ description: |-
+ Order is an optional field that specifies the order in which the policy is applied.
+ Policies with higher "order" are applied after those with lower
+ order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the
+ policy will be applied last. Policies with identical order will be applied in
+ alphanumerical order based on the Policy "Name" within the tier.
+ type: number
+ performanceHints:
+ description: |-
+ PerformanceHints contains a list of hints to Calico's policy engine to
+ help process the policy more efficiently. Hints never change the
+ enforcement behaviour of the policy.
+
+ Currently, the only available hint is "AssumeNeededOnEveryNode". When
+ that hint is set on a policy, Felix will act as if the policy matches
+ a local endpoint even if it does not. This is useful for "preloading"
+ any large static policies that are known to be used on every node.
+ If the policy is _not_ used on a particular node then the work
+ done to preload the policy (and to maintain it) is wasted.
+ items:
+ type: string
+ type: array
+ selector:
+ description: "The selector is an expression used to pick out the endpoints
+ that the policy should\nbe applied to.\n\nSelector expressions follow
+ this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g.
+ my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not
+ equal; also matches if label is not present\n\tlabel in { \"a\",
+ \"b\", \"c\", ... } -> true if the value of label X is one of
+ \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... }
+ \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name)
+ \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr
+ && expr -> Short-circuit and\n\texpr || expr -> Short-circuit
+ or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector
+ -> matches all endpoints.\n\nLabel names are allowed to contain
+ alphanumerics, -, _ and /. String literals are more permissive\nbut
+ they do not support escape characters.\n\nExamples (with made-up
+ labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype
+ in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)"
+ type: string
+ serviceAccountSelector:
+ description: ServiceAccountSelector is an optional field for an expression
+ used to select a pod based on service accounts.
+ type: string
+ tier:
+ description: |-
+ The name of the tier that this policy belongs to. If this is omitted, the default
+ tier (name is "default") is assumed. The specified tier must exist in order to create
+ security policies within the tier, the "default" tier is created automatically if it
+ does not exist, this means for deployments requiring only a single Tier, the tier name
+ may be omitted on all policy management requests.
+ type: string
+ types:
+ description: |-
+ Types indicates whether this policy applies to ingress, or to egress, or to both. When
+ not explicitly specified (and so the value on creation is empty or nil), Calico defaults
+ Types according to what Ingress and Egress are present in the policy. The
+ default is:
+
+ - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
+ also no Ingress rules)
+
+ - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
+
+ - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
+
+ When the policy is read back again, Types will always be one of these values, never empty
+ or nil.
+ items:
+ description: PolicyType enumerates the possible values of the PolicySpec
+ Types field.
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_networksets.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: networksets.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: NetworkSet
+ listKind: NetworkSetList
+ plural: networksets
+ singular: networkset
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: NetworkSetSpec contains the specification for a NetworkSet
+ resource.
+ properties:
+ nets:
+ description: The list of IP networks that belong to this set.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: stagedglobalnetworkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: StagedGlobalNetworkPolicy
+ listKind: StagedGlobalNetworkPolicyList
+ plural: stagedglobalnetworkpolicies
+ singular: stagedglobalnetworkpolicy
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ applyOnForward:
+ description: ApplyOnForward indicates to apply the rules in this policy
+ on forward traffic.
+ type: boolean
+ doNotTrack:
+ description: |-
+ DoNotTrack indicates whether packets matched by the rules in this policy should go through
+ the data plane's connection tracking, such as Linux conntrack. If True, the rules in
+ this policy are applied before any data plane connection tracking, and packets allowed by
+ this policy are marked as not to be tracked.
+ type: boolean
+ egress:
+ description: |-
+ The ordered set of egress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ ingress:
+ description: |-
+ The ordered set of ingress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ namespaceSelector:
+ description: NamespaceSelector is an optional field for an expression
+ used to select a pod based on namespaces.
+ type: string
+ order:
+ description: |-
+ Order is an optional field that specifies the order in which the policy is applied.
+ Policies with higher "order" are applied after those with lower
+ order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the
+ policy will be applied last. Policies with identical order will be applied in
+ alphanumerical order based on the Policy "Name" within the tier.
+ type: number
+ performanceHints:
+ description: |-
+ PerformanceHints contains a list of hints to Calico's policy engine to
+ help process the policy more efficiently. Hints never change the
+ enforcement behaviour of the policy.
+
+ Currently, the only available hint is "AssumeNeededOnEveryNode". When
+ that hint is set on a policy, Felix will act as if the policy matches
+ a local endpoint even if it does not. This is useful for "preloading"
+ any large static policies that are known to be used on every node.
+ If the policy is _not_ used on a particular node then the work
+ done to preload the policy (and to maintain it) is wasted.
+ items:
+ type: string
+ type: array
+ preDNAT:
+ description: PreDNAT indicates to apply the rules in this policy before
+ any DNAT.
+ type: boolean
+ selector:
+ description: "The selector is an expression used to pick pick out
+ the endpoints that the policy should\nbe applied to.\n\nSelector
+ expressions follow this syntax:\n\n\tlabel == \"string_literal\"
+ \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\"
+ \ -> not equal; also matches if label is not present\n\tlabel
+ in { \"a\", \"b\", \"c\", ... } -> true if the value of label
+ X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\",
+ \"c\", ... } -> true if the value of label X is not one of \"a\",
+ \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t!
+ expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr
+ || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall()
+ or the empty selector -> matches all endpoints.\n\nLabel names are
+ allowed to contain alphanumerics, -, _ and /. String literals are
+ more permissive\nbut they do not support escape characters.\n\nExamples
+ (with made-up labels):\n\n\ttype == \"webserver\" && deployment
+ == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment
+ != \"dev\"\n\t! has(label_name)"
+ type: string
+ serviceAccountSelector:
+ description: ServiceAccountSelector is an optional field for an expression
+ used to select a pod based on service accounts.
+ type: string
+ stagedAction:
+ description: The staged action. If this is omitted, the default is
+ Set.
+ type: string
+ tier:
+ description: |-
+ The name of the tier that this policy belongs to. If this is omitted, the default
+ tier (name is "default") is assumed. The specified tier must exist in order to create
+ security policies within the tier, the "default" tier is created automatically if it
+ does not exist, this means for deployments requiring only a single Tier, the tier name
+ may be omitted on all policy management requests.
+ type: string
+ types:
+ description: |-
+ Types indicates whether this policy applies to ingress, or to egress, or to both. When
+ not explicitly specified (and so the value on creation is empty or nil), Calico defaults
+ Types according to what Ingress and Egress rules are present in the policy. The
+ default is:
+
+ - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
+ also no Ingress rules)
+
+ - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
+
+ - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
+
+ When the policy is read back again, Types will always be one of these values, never empty
+ or nil.
+ items:
+ description: PolicyType enumerates the possible values of the PolicySpec
+ Types field.
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: stagedkubernetesnetworkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: StagedKubernetesNetworkPolicy
+ listKind: StagedKubernetesNetworkPolicyList
+ plural: stagedkubernetesnetworkpolicies
+ singular: stagedkubernetesnetworkpolicy
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ egress:
+ description: |-
+ List of egress rules to be applied to the selected pods. Outgoing traffic is
+ allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+ otherwise allows the traffic), OR if the traffic matches at least one egress rule
+ across all of the NetworkPolicy objects whose podSelector matches the pod. If
+ this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+ solely to ensure that the pods it selects are isolated by default).
+ This field is beta-level in 1.8
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow traffic
+ on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ List of ingress rules to be applied to the selected pods. Traffic is allowed to
+ a pod if there are no NetworkPolicies selecting the pod
+ (and cluster policy otherwise allows the traffic), OR if the traffic source is
+ the pod's local node, OR if the traffic matches at least one ingress rule
+ across all of the NetworkPolicy objects whose podSelector matches the pod. If
+ this field is empty then this NetworkPolicy does not allow any traffic (and serves
+ solely to ensure that the pods it selects are isolated by default)
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow traffic
+ on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ podSelector:
+ description: |-
+ Selects the pods to which this NetworkPolicy object applies. The array of
+ ingress rules is applied to any pods selected by this field. Multiple network
+ policies can select the same set of pods. In this case, the ingress rules for
+ each are combined additively. This field is NOT optional and follows standard
+ label selector semantics. An empty podSelector matches all pods in this
+ namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ policyTypes:
+ description: |-
+ List of rule types that the NetworkPolicy relates to.
+ Valid options are Ingress, Egress, or Ingress,Egress.
+ If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+ policies that contain an Egress section are assumed to affect Egress, and all policies
+ (whether or not they contain an Ingress section) are assumed to affect Ingress.
+ If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+ Likewise, if you want to write a policy that specifies that no egress is allowed,
+ you must specify a policyTypes value that include "Egress" (since such a policy would not include
+ an Egress section and would otherwise default to just [ "Ingress" ]).
+ This field is beta-level in 1.8
+ items:
+ description: |-
+ PolicyType string describes the NetworkPolicy type
+ This type is beta-level in 1.8
+ type: string
+ type: array
+ stagedAction:
+ description: The staged action. If this is omitted, the default is
+ Set.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_stagednetworkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: stagednetworkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: StagedNetworkPolicy
+ listKind: StagedNetworkPolicyList
+ plural: stagednetworkpolicies
+ singular: stagednetworkpolicy
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ egress:
+ description: |-
+ The ordered set of egress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ ingress:
+ description: |-
+ The ordered set of ingress rules. Each rule contains a set of packet match criteria and
+ a corresponding action to apply.
+ items:
+ description: |-
+ A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
+ and security Profiles reference rules - separated out as a list of rules for both
+ ingress and egress packet matching.
+
+ Each positive match criteria has a negated version, prefixed with "Not". All the match
+ criteria within a rule must be satisfied for a packet to match. A single rule can contain
+ the positive and negative version of a match and both must be satisfied for the rule to match.
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: |-
+ Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
+ HTTP Methods (e.g. GET, PUT, etc.)
+ Multiple methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: |-
+ Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
+ HTTP Paths.
+ Multiple paths are OR'd together.
+ e.g:
+ - exact: /foo
+ - prefix: /bar
+ NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
+ items:
+ description: |-
+ HTTPPath specifies an HTTP path to match. It may be either of the form:
+ exact: <path>: which matches the path exactly or
+ prefix: <path-prefix>: which matches the path prefix
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: |-
+ ICMP is an optional field that restricts the rule to apply to a specific type and
+ code of ICMP traffic. This should only be specified if the Protocol field is set to
+ "ICMP" or "ICMPv6".
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: |-
+ IPVersion is an optional field that restricts the rule to only match a specific IP
+ version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: |-
+ Match on a specific ICMP code. If specified, the Type value must also be specified.
+ This is a technical limitation imposed by the kernel's iptables firewall, which
+ Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: |-
+ Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
+ (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Protocol is an optional field that restricts the rule to only apply to traffic of
+ a specific IP protocol. Required if any of the EntityRules contain Ports
+ (because ports only apply to certain protocols).
+
+ Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
+ or an integer in the range 1-255.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector is an optional field that contains a selector expression. Only traffic
+ that originates from (or terminates at) endpoints within the selected namespaces will be
+ matched. When both NamespaceSelector and another selector are defined on the same rule, then only
+ workload endpoints that are matched by both selectors will be selected by the rule.
+
+ For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
+ only workload endpoints in the same namespace as the NetworkPolicy.
+
+ For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
+ only GlobalNetworkSet or HostEndpoint.
+
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
+ endpoints across all namespaces.
+ type: string
+ nets:
+ description: |-
+ Nets is an optional field that restricts the rule to only apply to traffic that
+ originates from (or terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: |-
+ NotPorts is the negated version of the Ports field.
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: |-
+ NotSelector is the negated version of the Selector field. See Selector field for
+ subtleties with negated selectors.
+ type: string
+ ports:
+ description: |-
+ Ports is an optional field that restricts the rule to only apply to traffic that has a
+ source (destination) port that matches one of these ranges/values. This value is a
+ list of integers or strings that represent ranges of ports.
+
+ Since only some protocols have ports, if any ports are specified it requires the
+ Protocol match in the Rule to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for\nsample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching\nthe selector will be matched.\n\nNote that:
+ in addition to the negated version of the Selector (see
+ NotSelector below), the\nselector expression syntax itself
+ supports negation. The two types of negation are subtly\ndifferent.
+ One negates the set of matched endpoints, the other negates
+ the whole match:\n\n\tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled\n\tendpoints
+ that do not have the label \"my_label\".\n\n\tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled\n\tendpoints that do have the label
+ \"my_label\".\n\nThe effect is that the latter will accept
+ packets from non-Calico sources whereas the\nformer is
+ limited to packets from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: |-
+ ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
+ terminates at) a pod running as a matching service account.
+ properties:
+ names:
+ description: |-
+ Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
+ at) a pod running as a service account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: |-
+ Selector is an optional field that restricts the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a service account that matches the given label selector.
+ If both Names and Selector are specified then they are AND'ed.
+ type: string
+ type: object
+ services:
+ description: |-
+ Services is an optional field that contains options for matching Kubernetes Services.
+ If specified, only traffic that originates from or terminates at endpoints within the selected
+ service(s) will be matched, and only to/from each endpoint's port.
+
+ Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
+ NotNets or ServiceAccounts.
+
+ Ports and NotPorts can only be specified with Services on ingress rules.
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: |-
+ Namespace specifies the namespace of the given Service. If left empty, the rule
+ will match within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ order:
+ description: |-
+ Order is an optional field that specifies the order in which the policy is applied.
+ Policies with higher "order" are applied after those with lower
+ order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the
+ policy will be applied last. Policies with identical order will be applied in
+ alphanumerical order based on the Policy "Name" within the tier.
+ type: number
+ performanceHints:
+ description: |-
+ PerformanceHints contains a list of hints to Calico's policy engine to
+ help process the policy more efficiently. Hints never change the
+ enforcement behaviour of the policy.
+
+ Currently, the only available hint is "AssumeNeededOnEveryNode". When
+ that hint is set on a policy, Felix will act as if the policy matches
+ a local endpoint even if it does not. This is useful for "preloading"
+ any large static policies that are known to be used on every node.
+ If the policy is _not_ used on a particular node then the work
+ done to preload the policy (and to maintain it) is wasted.
+ items:
+ type: string
+ type: array
+ selector:
+ description: "The selector is an expression used to pick pick out
+ the endpoints that the policy should\nbe applied to.\n\nSelector
+ expressions follow this syntax:\n\n\tlabel == \"string_literal\"
+ \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\"
+ \ -> not equal; also matches if label is not present\n\tlabel
+ in { \"a\", \"b\", \"c\", ... } -> true if the value of label
+ X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\",
+ \"c\", ... } -> true if the value of label X is not one of \"a\",
+ \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t!
+ expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr
+ || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall()
+ or the empty selector -> matches all endpoints.\n\nLabel names are
+ allowed to contain alphanumerics, -, _ and /. String literals are
+ more permissive\nbut they do not support escape characters.\n\nExamples
+ (with made-up labels):\n\n\ttype == \"webserver\" && deployment
+ == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment
+ != \"dev\"\n\t! has(label_name)"
+ type: string
+ serviceAccountSelector:
+ description: ServiceAccountSelector is an optional field for an expression
+ used to select a pod based on service accounts.
+ type: string
+ stagedAction:
+ description: The staged action. If this is omitted, the default is
+ Set.
+ type: string
+ tier:
+ description: |-
+ The name of the tier that this policy belongs to. If this is omitted, the default
+ tier (name is "default") is assumed. The specified tier must exist in order to create
+ security policies within the tier, the "default" tier is created automatically if it
+ does not exist, this means for deployments requiring only a single Tier, the tier name
+ may be omitted on all policy management requests.
+ type: string
+ types:
+ description: |-
+ Types indicates whether this policy applies to ingress, or to egress, or to both. When
+ not explicitly specified (and so the value on creation is empty or nil), Calico defaults
+ Types according to what Ingress and Egress are present in the policy. The
+ default is:
+
+ - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
+ also no Ingress rules)
+
+ - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
+
+ - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
+
+ When the policy is read back again, Types will always be one of these values, never empty
+ or nil.
+ items:
+ description: PolicyType enumerates the possible values of the PolicySpec
+ Types field.
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/crd.projectcalico.org_tiers.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.3
+ name: tiers.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: Tier
+ listKind: TierList
+ plural: tiers
+ singular: tier
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TierSpec contains the specification for a security policy
+ tier resource.
+ properties:
+ defaultAction:
+ description: |-
+ DefaultAction specifies the action applied to workloads selected by a policy in the tier,
+ but not rule matched the workload's traffic.
+ [Default: Deny]
+ enum:
+ - Pass
+ - Deny
+ type: string
+ order:
+ description: |-
+ Order is an optional field that specifies the order in which the tier is applied.
+ Tiers with higher "order" are applied after those with lower order. If the order
+ is omitted, it may be considered to be "infinite" - i.e. the tier will be applied
+ last. Tiers with identical order will be applied in alphanumerical order based
+ on the Tier "Name".
+ type: number
+ type: object
+ type: object
+ served: true
+ storage: true
+---
+# Source: crds/policy.networking.k8s.io_adminnetworkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30
+ policy.networking.k8s.io/bundle-version: v0.1.1
+ policy.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: adminnetworkpolicies.policy.networking.k8s.io
+spec:
+ group: policy.networking.k8s.io
+ names:
+ kind: AdminNetworkPolicy
+ listKind: AdminNetworkPolicyList
+ plural: adminnetworkpolicies
+ shortNames:
+ - anp
+ singular: adminnetworkpolicy
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.priority
+ name: Priority
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ AdminNetworkPolicy is a cluster level resource that is part of the
+ AdminNetworkPolicy API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired behavior of AdminNetworkPolicy.
+ properties:
+ egress:
+ description: |-
+ Egress is the list of Egress rules to be applied to the selected pods.
+ A total of 100 rules will be allowed in each ANP instance.
+ The relative precedence of egress rules within a single ANP object (all of
+ which share the priority) will be determined by the order in which the rule
+ is written. Thus, a rule that appears at the top of the egress rules
+ would take the highest precedence.
+ ANPs with no egress rules do not affect egress traffic.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyEgressRule describes an action to take on a particular
+ set of traffic originating from pods selected by a AdminNetworkPolicy's
+ Subject field.
+ <network-policy-api:experimental:validation>
+ properties:
+ action:
+ description: |-
+ Action specifies the effect this rule will have on matching traffic.
+ Currently the following actions are supported:
+ Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
+ Deny: denies the selected traffic
+ Pass: instructs the selected traffic to skip any remaining ANP rules, and
+ then pass execution to any NetworkPolicies that select the pod.
+ If the pod is not selected by any NetworkPolicies then execution
+ is passed to any BaselineAdminNetworkPolicies that select the pod.
+
+
+ Support: Core
+ enum:
+ - Allow
+ - Deny
+ - Pass
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this rule, that may be no more than 100 characters
+ in length. This field should be used by the implementation to help
+ improve observability, readability and error-reporting for any applied
+ AdminNetworkPolicies.
+
+
+ Support: Core
+ maxLength: 100
+ type: string
+ ports:
+ description: |-
+ Ports allows for matching traffic based on port and protocols.
+ This field is a list of destination ports for the outgoing egress traffic.
+ If Ports is not set then the rule does not filter traffic via port.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyPort describes how to select network ports on pod(s).
+ Exactly one field must be set.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namedPort:
+ description: |-
+ NamedPort selects a port on a pod(s) based on name.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ type: string
+ portNumber:
+ description: |-
+ Port selects a port on a pod(s) based on number.
+
+
+ Support: Core
+ properties:
+ port:
+ description: |-
+ Number defines a network port value.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ portRange:
+ description: |-
+ PortRange selects a port range on a pod(s) based on provided start and end
+ values.
+
+
+ Support: Core
+ properties:
+ end:
+ description: |-
+ End defines a network port that is the end of a port range, the End value
+ must be greater than Start.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ start:
+ description: |-
+ Start defines a network port that is the start of a port range, the Start
+ value must be less than End.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: object
+ maxItems: 100
+ type: array
+ to:
+ description: |-
+ To is the List of destinations whose traffic this rule applies to.
+ If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+ traffic then the specified action is applied.
+ This field must be defined and contain at least one item.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+ Exactly one of the selector pointers must be set for a given peer. If a
+ consumer observes none of its fields are set, they must assume an unknown
+ option has been specified and fail closed.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: |-
+ Namespaces defines a way to select all pods within a set of Namespaces.
+ Note that host-networked pods are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ networks:
+ description: |-
+ Networks defines a way to select peers via CIDR blocks.
+ This is intended for representing entities that live outside the cluster,
+ which can't be selected by pods, namespaces and nodes peers, but note
+ that cluster-internal traffic will be checked against the rule as
+ well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+ or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+ add a rule that Passes all pod traffic before the Networks rule.
+
+
+ Each item in Networks should be provided in the CIDR format and should be
+ IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+
+
+ Networks can have upto 25 CIDRs specified.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ items:
+ description: |-
+ CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
+ This string must be validated by implementations using net.ParseCIDR
+ TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
+ maxLength: 43
+ type: string
+ x-kubernetes-validations:
+ - message: CIDR must be either an IPv4 or IPv6 address.
+ IPv4 address embedded in IPv6 addresses are not
+ supported
+ rule: self.contains(':') != self.contains('.')
+ maxItems: 25
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ nodes:
+ description: |-
+ Nodes defines a way to select a set of nodes in
+ the cluster. This field follows standard label selector
+ semantics; if present but empty, it selects all Nodes.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: |-
+ Pods defines a way to select a set of pods in
+ a set of namespaces. Note that host-networked pods
+ are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ required:
+ - action
+ - to
+ type: object
+ x-kubernetes-validations:
+ - message: networks/nodes peer cannot be set with namedPorts since
+ there are no namedPorts for networks/nodes
+ rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes))
+ && has(self.ports) && self.ports.exists(port, has(port.namedPort)))'
+ maxItems: 100
+ type: array
+ ingress:
+ description: |-
+ Ingress is the list of Ingress rules to be applied to the selected pods.
+ A total of 100 rules will be allowed in each ANP instance.
+ The relative precedence of ingress rules within a single ANP object (all of
+ which share the priority) will be determined by the order in which the rule
+ is written. Thus, a rule that appears at the top of the ingress rules
+ would take the highest precedence.
+ ANPs with no ingress rules do not affect ingress traffic.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyIngressRule describes an action to take on a particular
+ set of traffic destined for pods selected by an AdminNetworkPolicy's
+ Subject field.
+ properties:
+ action:
+ description: |-
+ Action specifies the effect this rule will have on matching traffic.
+ Currently the following actions are supported:
+ Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
+ Deny: denies the selected traffic
+ Pass: instructs the selected traffic to skip any remaining ANP rules, and
+ then pass execution to any NetworkPolicies that select the pod.
+ If the pod is not selected by any NetworkPolicies then execution
+ is passed to any BaselineAdminNetworkPolicies that select the pod.
+
+
+ Support: Core
+ enum:
+ - Allow
+ - Deny
+ - Pass
+ type: string
+ from:
+ description: |-
+ From is the list of sources whose traffic this rule applies to.
+ If any AdminNetworkPolicyIngressPeer matches the source of incoming
+ traffic then the specified action is applied.
+ This field must be defined and contain at least one item.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
+ Exactly one of the selector pointers must be set for a given peer. If a
+ consumer observes none of its fields are set, they must assume an unknown
+ option has been specified and fail closed.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: |-
+ Namespaces defines a way to select all pods within a set of Namespaces.
+ Note that host-networked pods are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: |-
+ Pods defines a way to select a set of pods in
+ a set of namespaces. Note that host-networked pods
+ are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ name:
+ description: |-
+ Name is an identifier for this rule, that may be no more than 100 characters
+ in length. This field should be used by the implementation to help
+ improve observability, readability and error-reporting for any applied
+ AdminNetworkPolicies.
+
+
+ Support: Core
+ maxLength: 100
+ type: string
+ ports:
+ description: |-
+ Ports allows for matching traffic based on port and protocols.
+ This field is a list of ports which should be matched on
+ the pods selected for this policy i.e the subject of the policy.
+ So it matches on the destination port for the ingress traffic.
+ If Ports is not set then the rule does not filter traffic via port.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyPort describes how to select network ports on pod(s).
+ Exactly one field must be set.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namedPort:
+ description: |-
+ NamedPort selects a port on a pod(s) based on name.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ type: string
+ portNumber:
+ description: |-
+ Port selects a port on a pod(s) based on number.
+
+
+ Support: Core
+ properties:
+ port:
+ description: |-
+ Number defines a network port value.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ portRange:
+ description: |-
+ PortRange selects a port range on a pod(s) based on provided start and end
+ values.
+
+
+ Support: Core
+ properties:
+ end:
+ description: |-
+ End defines a network port that is the end of a port range, the End value
+ must be greater than Start.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ start:
+ description: |-
+ Start defines a network port that is the start of a port range, the Start
+ value must be less than End.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: object
+ maxItems: 100
+ type: array
+ required:
+ - action
+ - from
+ type: object
+ maxItems: 100
+ type: array
+ priority:
+ description: |-
+ Priority is a value from 0 to 1000. Rules with lower priority values have
+ higher precedence, and are checked before rules with higher priority values.
+ All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or
+ BaselineAdminNetworkPolicy rules
+ The behavior is undefined if two ANP objects have same priority.
+
+
+ Support: Core
+ format: int32
+ maximum: 1000
+ minimum: 0
+ type: integer
+ subject:
+ description: |-
+ Subject defines the pods to which this AdminNetworkPolicy applies.
+ Note that host-networked pods are not included in subject selection.
+
+
+ Support: Core
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: Namespaces is used to select pods via namespace selectors.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: Pods is used to select pods via namespace AND pod
+ selectors.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ required:
+ - priority
+ - subject
+ type: object
+ status:
+ description: Status is the status to be reported by the implementation.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - conditions
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+# Source: crds/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30
+ policy.networking.k8s.io/bundle-version: v0.1.1
+ policy.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: baselineadminnetworkpolicies.policy.networking.k8s.io
+spec:
+ group: policy.networking.k8s.io
+ names:
+ kind: BaselineAdminNetworkPolicy
+ listKind: BaselineAdminNetworkPolicyList
+ plural: baselineadminnetworkpolicies
+ shortNames:
+ - banp
+ singular: baselineadminnetworkpolicy
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ BaselineAdminNetworkPolicy is a cluster level resource that is part of the
+ AdminNetworkPolicy API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired behavior of BaselineAdminNetworkPolicy.
+ properties:
+ egress:
+ description: |-
+ Egress is the list of Egress rules to be applied to the selected pods if
+ they are not matched by any AdminNetworkPolicy or NetworkPolicy rules.
+ A total of 100 Egress rules will be allowed in each BANP instance.
+ The relative precedence of egress rules within a single BANP object
+ will be determined by the order in which the rule is written.
+ Thus, a rule that appears at the top of the egress rules
+ would take the highest precedence.
+ BANPs with no egress rules do not affect egress traffic.
+
+
+ Support: Core
+ items:
+ description: |-
+ BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular
+ set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's
+ Subject field.
+ <network-policy-api:experimental:validation>
+ properties:
+ action:
+ description: |-
+ Action specifies the effect this rule will have on matching traffic.
+ Currently the following actions are supported:
+ Allow: allows the selected traffic
+ Deny: denies the selected traffic
+
+
+ Support: Core
+ enum:
+ - Allow
+ - Deny
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this rule, that may be no more than 100 characters
+ in length. This field should be used by the implementation to help
+ improve observability, readability and error-reporting for any applied
+ BaselineAdminNetworkPolicies.
+
+
+ Support: Core
+ maxLength: 100
+ type: string
+ ports:
+ description: |-
+ Ports allows for matching traffic based on port and protocols.
+ This field is a list of destination ports for the outgoing egress traffic.
+ If Ports is not set then the rule does not filter traffic via port.
+ items:
+ description: |-
+ AdminNetworkPolicyPort describes how to select network ports on pod(s).
+ Exactly one field must be set.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namedPort:
+ description: |-
+ NamedPort selects a port on a pod(s) based on name.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ type: string
+ portNumber:
+ description: |-
+ Port selects a port on a pod(s) based on number.
+
+
+ Support: Core
+ properties:
+ port:
+ description: |-
+ Number defines a network port value.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ portRange:
+ description: |-
+ PortRange selects a port range on a pod(s) based on provided start and end
+ values.
+
+
+ Support: Core
+ properties:
+ end:
+ description: |-
+ End defines a network port that is the end of a port range, the End value
+ must be greater than Start.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ start:
+ description: |-
+ Start defines a network port that is the start of a port range, the Start
+ value must be less than End.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: object
+ maxItems: 100
+ type: array
+ to:
+ description: |-
+ To is the list of destinations whose traffic this rule applies to.
+ If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+ traffic then the specified action is applied.
+ This field must be defined and contain at least one item.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+ Exactly one of the selector pointers must be set for a given peer. If a
+ consumer observes none of its fields are set, they must assume an unknown
+ option has been specified and fail closed.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: |-
+ Namespaces defines a way to select all pods within a set of Namespaces.
+ Note that host-networked pods are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ networks:
+ description: |-
+ Networks defines a way to select peers via CIDR blocks.
+ This is intended for representing entities that live outside the cluster,
+ which can't be selected by pods, namespaces and nodes peers, but note
+ that cluster-internal traffic will be checked against the rule as
+ well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+ or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+ add a rule that Passes all pod traffic before the Networks rule.
+
+
+ Each item in Networks should be provided in the CIDR format and should be
+ IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+
+
+ Networks can have upto 25 CIDRs specified.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ items:
+ description: |-
+ CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
+ This string must be validated by implementations using net.ParseCIDR
+ TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
+ maxLength: 43
+ type: string
+ x-kubernetes-validations:
+ - message: CIDR must be either an IPv4 or IPv6 address.
+ IPv4 address embedded in IPv6 addresses are not
+ supported
+ rule: self.contains(':') != self.contains('.')
+ maxItems: 25
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ nodes:
+ description: |-
+ Nodes defines a way to select a set of nodes in
+ the cluster. This field follows standard label selector
+ semantics; if present but empty, it selects all Nodes.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: |-
+ Pods defines a way to select a set of pods in
+ a set of namespaces. Note that host-networked pods
+ are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ required:
+ - action
+ - to
+ type: object
+ x-kubernetes-validations:
+ - message: networks/nodes peer cannot be set with namedPorts since
+ there are no namedPorts for networks/nodes
+ rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes))
+ && has(self.ports) && self.ports.exists(port, has(port.namedPort)))'
+ maxItems: 100
+ type: array
+ ingress:
+ description: |-
+ Ingress is the list of Ingress rules to be applied to the selected pods
+ if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules.
+ A total of 100 Ingress rules will be allowed in each BANP instance.
+ The relative precedence of ingress rules within a single BANP object
+ will be determined by the order in which the rule is written.
+ Thus, a rule that appears at the top of the ingress rules
+ would take the highest precedence.
+ BANPs with no ingress rules do not affect ingress traffic.
+
+
+ Support: Core
+ items:
+ description: |-
+ BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular
+ set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's
+ Subject field.
+ properties:
+ action:
+ description: |-
+ Action specifies the effect this rule will have on matching traffic.
+ Currently the following actions are supported:
+ Allow: allows the selected traffic
+ Deny: denies the selected traffic
+
+
+ Support: Core
+ enum:
+ - Allow
+ - Deny
+ type: string
+ from:
+ description: |-
+ From is the list of sources whose traffic this rule applies to.
+ If any AdminNetworkPolicyIngressPeer matches the source of incoming
+ traffic then the specified action is applied.
+ This field must be defined and contain at least one item.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
+ Exactly one of the selector pointers must be set for a given peer. If a
+ consumer observes none of its fields are set, they must assume an unknown
+ option has been specified and fail closed.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: |-
+ Namespaces defines a way to select all pods within a set of Namespaces.
+ Note that host-networked pods are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: |-
+ Pods defines a way to select a set of pods in
+ a set of namespaces. Note that host-networked pods
+ are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ name:
+ description: |-
+ Name is an identifier for this rule, that may be no more than 100 characters
+ in length. This field should be used by the implementation to help
+ improve observability, readability and error-reporting for any applied
+ BaselineAdminNetworkPolicies.
+
+
+ Support: Core
+ maxLength: 100
+ type: string
+ ports:
+ description: |-
+ Ports allows for matching traffic based on port and protocols.
+ This field is a list of ports which should be matched on
+ the pods selected for this policy i.e the subject of the policy.
+ So it matches on the destination port for the ingress traffic.
+ If Ports is not set then the rule does not filter traffic via port.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyPort describes how to select network ports on pod(s).
+ Exactly one field must be set.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namedPort:
+ description: |-
+ NamedPort selects a port on a pod(s) based on name.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ type: string
+ portNumber:
+ description: |-
+ Port selects a port on a pod(s) based on number.
+
+
+ Support: Core
+ properties:
+ port:
+ description: |-
+ Number defines a network port value.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ portRange:
+ description: |-
+ PortRange selects a port range on a pod(s) based on provided start and end
+ values.
+
+
+ Support: Core
+ properties:
+ end:
+ description: |-
+ End defines a network port that is the end of a port range, the End value
+ must be greater than Start.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ start:
+ description: |-
+ Start defines a network port that is the start of a port range, the Start
+ value must be less than End.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: object
+ maxItems: 100
+ type: array
+ required:
+ - action
+ - from
+ type: object
+ maxItems: 100
+ type: array
+ subject:
+ description: |-
+ Subject defines the pods to which this BaselineAdminNetworkPolicy applies.
+ Note that host-networked pods are not included in subject selection.
+
+
+ Support: Core
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: Namespaces is used to select pods via namespace selectors.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: Pods is used to select pods via namespace AND pod
+ selectors.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ required:
+ - subject
+ type: object
+ status:
+ description: Status is the status to be reported by the implementation.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - conditions
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ x-kubernetes-validations:
+ - message: Only one baseline admin network policy with metadata.name="default"
+ can be created in the cluster
+ rule: self.metadata.name == 'default'
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
Code Review / csit.git / commitdiff