Signup
×

Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All
DevOps-Kubernetes
ConfigMap

ConfigMap

ConfigMap holds configuration data for pods to consume.

apiVersion: v1

import "k8s.io/api/core/v1"

ConfigMap

ConfigMap holds configuration data for pods to consume.


  • apiVersion: v1

  • kind: ConfigMap

  • metadata (ObjectMeta)

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  • binaryData (map[string][]byte)

    BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.

  • data (map[string]string)

    Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.

  • immutable (boolean)

    Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.

ConfigMapList

ConfigMapList is a resource containing a list of ConfigMap objects.


Operations


get read the specified ConfigMap

HTTP Request

GET /api/v1/namespaces/{namespace}/configmaps/{name}

Parameters

  • name (in path): string, required

    name of the ConfigMap

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (ConfigMap): OK

401: Unauthorized

list list or watch objects of kind ConfigMap

HTTP Request

GET /api/v1/namespaces/{namespace}/configmaps

Parameters

Response

200 (ConfigMapList): OK

401: Unauthorized

list list or watch objects of kind ConfigMap

HTTP Request

GET /api/v1/configmaps

Parameters

Response

200 (ConfigMapList): OK

401: Unauthorized

create create a ConfigMap

HTTP Request

POST /api/v1/namespaces/{namespace}/configmaps

Parameters

Response

200 (ConfigMap): OK

201 (ConfigMap): Created

202 (ConfigMap): Accepted

401: Unauthorized

update replace the specified ConfigMap

HTTP Request

PUT /api/v1/namespaces/{namespace}/configmaps/{name}

Parameters

Response

200 (ConfigMap): OK

201 (ConfigMap): Created

401: Unauthorized

patch partially update the specified ConfigMap

HTTP Request

PATCH /api/v1/namespaces/{namespace}/configmaps/{name}

Parameters

  • name (in path): string, required

    name of the ConfigMap

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ConfigMap): OK

201 (ConfigMap): Created

401: Unauthorized

delete delete a ConfigMap

HTTP Request

DELETE /api/v1/namespaces/{namespace}/configmaps/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of ConfigMap

HTTP Request

DELETE /api/v1/namespaces/{namespace}/configmaps

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article
CustomResourceDefinition

CustomResourceDefinition

CustomResourceDefinition represents a resource that should be exposed on the API server.

apiVersion: apiextensions.k8s.io/v1

import "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

CustomResourceDefinition

CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format <.spec.name>.<.spec.group>.


CustomResourceDefinitionSpec

CustomResourceDefinitionSpec describes how a user wants their resource to appear


  • group (string), required

    group is the API group of the defined custom resource. The custom resources are served under /apis/\<group>/.... Must match the name of the CustomResourceDefinition (in the form \<names.plural>.\<group>).

  • names (CustomResourceDefinitionNames), required

    names specify the resource and kind names for the custom resource.

    CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition

    • names.kind (string), required

      kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the kind attribute in API calls.

    • names.plural (string), required

      plural is the plural name of the resource to serve. The custom resources are served under /apis/\<group>/\<version>/.../\<plural>. Must match the name of the CustomResourceDefinition (in the form \<names.plural>.\<group>). Must be all lowercase.

    • names.categories ([]string)

      categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like kubectl get all.

    • names.listKind (string)

      listKind is the serialized kind of the list for this resource. Defaults to "kindList".

    • names.shortNames ([]string)

      shortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like kubectl get \<shortname>. It must be all lowercase.

    • names.singular (string)

      singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased kind.

  • scope (string), required

    scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are Cluster and Namespaced.

  • versions ([]CustomResourceDefinitionVersion), required

    versions is the list of all API versions of the defined custom resource. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.

    CustomResourceDefinitionVersion describes a version for CRD.

    • versions.name (string), required

      name is the version name, e.g. “v1”, “v2beta1”, etc. The custom resources are served under this version at /apis/\<group>/\<version>/... if served is true.

    • versions.served (boolean), required

      served is a flag enabling/disabling this version from being served via REST APIs

    • versions.storage (boolean), required

      storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.

    • versions.additionalPrinterColumns ([]CustomResourceColumnDefinition)

      additionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If no columns are specified, a single column displaying the age of the custom resource is used.

      CustomResourceColumnDefinition specifies a column for server side printing.

      • versions.additionalPrinterColumns.jsonPath (string), required

        jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.

      • versions.additionalPrinterColumns.name (string), required

        name is a human readable name for the column.

      • versions.additionalPrinterColumns.type (string), required

        type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.

      • versions.additionalPrinterColumns.description (string)

        description is a human readable description of this column.

      • versions.additionalPrinterColumns.format (string)

        format is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.

      • versions.additionalPrinterColumns.priority (int32)

        priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.

    • versions.deprecated (boolean)

      deprecated indicates this version of the custom resource API is deprecated. When set to true, API requests to this version receive a warning header in the server response. Defaults to false.

    • versions.deprecationWarning (string)

      deprecationWarning overrides the default warning returned to API clients. May only be set when deprecated is true. The default warning indicates this version is deprecated and recommends use of the newest served version of equal or greater stability, if one exists.

    • versions.schema (CustomResourceValidation)

      schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.

      CustomResourceValidation is a list of validation methods for CustomResources.

      • versions.schema.openAPIV3Schema (JSONSchemaProps)

        openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.

    • versions.subresources (CustomResourceSubresources)

      subresources specify what subresources this version of the defined custom resource have.

      CustomResourceSubresources defines the status and scale subresources for CustomResources.

      • versions.subresources.scale (CustomResourceSubresourceScale)

        scale indicates the custom resource should serve a /scale subresource that returns an autoscaling/v1 Scale object.

        CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.

        • versions.subresources.scale.specReplicasPath (string), required

          specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale spec.replicas. Only JSON paths without the array notation are allowed. Must be a JSON Path under .spec. If there is no value under the given path in the custom resource, the /scale subresource will return an error on GET.

        • versions.subresources.scale.statusReplicasPath (string), required

          statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale status.replicas. Only JSON paths without the array notation are allowed. Must be a JSON Path under .status. If there is no value under the given path in the custom resource, the status.replicas value in the /scale subresource will default to 0.

        • versions.subresources.scale.labelSelectorPath (string)

          labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale status.selector. Only JSON paths without the array notation are allowed. Must be a JSON Path under .status or .spec. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the status.selector value in the /scale subresource will default to the empty string.

      • versions.subresources.status (CustomResourceSubresourceStatus)

        status indicates the custom resource should serve a /status subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the status stanza of the object. 2. requests to the custom resource /status subresource ignore changes to anything other than the status stanza of the object.

        CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the .status JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza

  • conversion (CustomResourceConversion)

    conversion defines conversion settings for the CRD.

    CustomResourceConversion describes how to convert different versions of a CR.

    • conversion.strategy (string), required

      strategy specifies how custom resources are converted between versions. Allowed values are: - None: The converter only change the apiVersion and would not touch any other field in the custom resource. - Webhook: API Server will call to an external webhook to do the conversion. Additional information is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.

    • conversion.webhook (WebhookConversion)

      webhook describes how to call the conversion webhook. Required when strategy is set to Webhook.

      WebhookConversion describes how to call a conversion webhook

      • conversion.webhook.conversionReviewVersions ([]string), required

        conversionReviewVersions is an ordered list of preferred ConversionReview versions the Webhook expects. The API server will use the first version in the list which it supports. If none of the versions specified in this list are supported by API server, conversion will fail for the custom resource. If a persisted Webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail.

      • conversion.webhook.clientConfig (WebhookClientConfig)

        clientConfig is the instructions for how to call the webhook if strategy is Webhook.

        WebhookClientConfig contains the information to make a TLS connection with the webhook.

        • conversion.webhook.clientConfig.caBundle ([]byte)

          caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

        • conversion.webhook.clientConfig.service (ServiceReference)

          service is a reference to the service for this webhook. Either service or url must be specified.

          If the webhook is running within the cluster, then you should use service.

          ServiceReference holds a reference to Service.legacy.k8s.io

          • conversion.webhook.clientConfig.service.name (string), required

            name is the name of the service. Required

          • conversion.webhook.clientConfig.service.namespace (string), required

            namespace is the namespace of the service. Required

          • conversion.webhook.clientConfig.service.path (string)

            path is an optional URL path at which the webhook will be contacted.

          • conversion.webhook.clientConfig.service.port (int32)

            port is an optional service port at which the webhook will be contacted. port should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.

        • conversion.webhook.clientConfig.url (string)

          url gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

          The host should not refer to a service running in the cluster; use the service field instead. The host might be resolved via external DNS in some apiservers (e.g., kube-apiserver cannot resolve in-cluster DNS as that would be a layering violation). host may also be an IP address.

          Please note that using localhost or 127.0.0.1 as a host is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.

          The scheme must be "https"; the URL must begin with "https://".

          A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.

          Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.

  • preserveUnknownFields (boolean)

    preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. This field is deprecated in favor of setting x-preserve-unknown-fields to true in spec.versions[*].schema.openAPIV3Schema. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.

JSONSchemaProps

JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).


  • $ref (string)

  • $schema (string)

  • additionalItems (JSONSchemaPropsOrBool)

    JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.

  • additionalProperties (JSONSchemaPropsOrBool)

    JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.

  • allOf ([]JSONSchemaProps)

  • anyOf ([]JSONSchemaProps)

  • default (JSON)

    default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false.

    JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.

  • definitions (map[string]JSONSchemaProps)

  • dependencies (map[string]JSONSchemaPropsOrStringArray)

    JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.

  • description (string)

  • enum ([]JSON)

    JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.

  • example (JSON)

    JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.

  • exclusiveMaximum (boolean)

  • exclusiveMinimum (boolean)

  • externalDocs (ExternalDocumentation)

    ExternalDocumentation allows referencing an external resource for extended documentation.

    • externalDocs.description (string)

    • externalDocs.url (string)

  • format (string)

    format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:

    • bsonobjectid: a bson object ID, i.e. a 24 characters hex string - uri: an URI as parsed by Golang net/url.ParseRequestURI - email: an email address as parsed by Golang net/mail.ParseAddress - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. - ipv4: an IPv4 IP as parsed by Golang net.ParseIP - ipv6: an IPv6 IP as parsed by Golang net.ParseIP - cidr: a CIDR as parsed by Golang net.ParseCIDR - mac: a MAC address as parsed by Golang net.ParseMAC - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" - isbn10: an ISBN10 number string like "0321751043" - isbn13: an ISBN13 number string like "978-0321751041" - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$ with any non digit characters mixed in - ssn: a U.S. social security number following the regex ^\d{3}[- ]?\d{2}[- ]?\d{4}$ - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" - byte: base64 encoded binary data - password: any kind of string - date: a date string like "2006-01-02" as defined by full-date in RFC3339 - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
  • id (string)

  • items (JSONSchemaPropsOrArray)

    JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes.

  • maxItems (int64)

  • maxLength (int64)

  • maxProperties (int64)

  • maximum (double)

  • minItems (int64)

  • minLength (int64)

  • minProperties (int64)

  • minimum (double)

  • multipleOf (double)

  • not (JSONSchemaProps)

  • nullable (boolean)

  • oneOf ([]JSONSchemaProps)

  • pattern (string)

  • patternProperties (map[string]JSONSchemaProps)

  • properties (map[string]JSONSchemaProps)

  • required ([]string)

  • title (string)

  • type (string)

  • uniqueItems (boolean)

  • x-kubernetes-embedded-resource (boolean)

    x-kubernetes-embedded-resource defines that the value is an embedded Kubernetes runtime.Object, with TypeMeta and ObjectMeta. The type must be object. It is allowed to further restrict the embedded object. kind, apiVersion and metadata are validated automatically. x-kubernetes-preserve-unknown-fields is allowed to be true, but does not have to be if the object is fully specified (up to kind, apiVersion, metadata).

  • x-kubernetes-int-or-string (boolean)

    x-kubernetes-int-or-string specifies that this value is either an integer or a string. If this is true, an empty type is allowed and type as child of anyOf is permitted if following one of the following patterns:

    1. anyOf:
      • type: integer
      • type: string
    2. allOf:
      • anyOf:
        • type: integer
        • type: string
      • ... zero or more
  • x-kubernetes-list-map-keys ([]string)

    x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type map by specifying the keys used as the index of the map.

    This tag MUST only be used on lists that have the "x-kubernetes-list-type" extension set to "map". Also, the values specified for this attribute must be a scalar typed field of the child structure (no nesting is supported).

    The properties specified must either be required or have a default value, to ensure those properties are present for all list items.

  • x-kubernetes-list-type (string)

    x-kubernetes-list-type annotates an array to further describe its topology. This extension must only be used on lists and may have 3 possible values:

    1. atomic: the list is treated as a single entity, like a scalar. Atomic lists will be entirely replaced when updated. This extension may be used on any type of list (struct, scalar, ...).
    2. set: Sets are lists that must not have multiple items with the same value. Each value must be a scalar, an object with x-kubernetes-map-type atomic or an array with x-kubernetes-list-type atomic.
    3. map: These lists are like maps in that their elements have a non-index key used to identify them. Order is preserved upon merge. The map tag must only be used on a list with elements of type object. Defaults to atomic for arrays.
  • x-kubernetes-map-type (string)

    x-kubernetes-map-type annotates an object to further describe its topology. This extension must only be used when type is object and may have 2 possible values:

    1. granular: These maps are actual maps (key-value pairs) and each fields are independent from each other (they can each be manipulated by separate actors). This is the default behaviour for all maps.
    2. atomic: the list is treated as a single entity, like a scalar. Atomic maps will be entirely replaced when updated.
  • x-kubernetes-preserve-unknown-fields (boolean)

    x-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.

  • x-kubernetes-validations ([]ValidationRule)

    Patch strategy: merge on key rule

    Map: unique values on key rule will be kept during a merge

    x-kubernetes-validations describes a list of validation rules written in the CEL expression language. This field is an alpha-level. Using this field requires the feature gate CustomResourceValidationExpressions to be enabled.

    ValidationRule describes a validation rule written in the CEL expression language.

    • x-kubernetes-validations.rule (string), required

      Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. The self variable in the CEL expression is bound to the scoped value. Example: - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}

      If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable via self.field and field presence can be checked via has(self.field). Null valued fields are treated as absent fields in CEL expressions. If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map are accessible via self[mapKey], map containment can be checked via mapKey in self and all entries of the map are accessible via CEL macros and functions such as self.all(...). If the Rule is scoped to an array, the elements of the array are accessible via self[i] and also by macros and functions. If the Rule is scoped to a scalar, self is bound to the scalar value. Examples: - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"} - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"} - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}

      The apiVersion, kind, metadata.name and metadata.generateName are always accessible from the root of the object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.

      Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL expressions. This includes: - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:

      • A schema with no type and x-kubernetes-preserve-unknown-fields set to true
      • An array where the items schema is of an "unknown type"
      • An object where the additionalProperties schema is of an "unknown type"

      Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]* are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '' escapes to 'underscores' - '.' escapes to 'dot' - '-' escapes to 'dash' - '/' escapes to 'slash' - Property names that exactly match a CEL RESERVED keyword escape to '{keyword}__'. The keywords are: "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", "import", "let", "loop", "package", "namespace", "return". Examples:

      • Rule accessing a property named "namespace": {"rule": "self.namespace > 0"}
      • Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
      • Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}

      Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:

      • 'set': X + Y performs a union where the array positions of all elements in X are preserved and non-intersecting elements in Y are appended, retaining their partial order.
      • 'map': X + Y performs a merge where the array positions of all keys in X are preserved but the values are overwritten by values in Y when the key sets of X and Y intersect. Elements in Y with non-intersecting keys are appended, retaining their partial order.
    • x-kubernetes-validations.message (string)

      Message represents the message displayed when validation fails. The message is required if the Rule contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host"

CustomResourceDefinitionStatus

CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition


  • acceptedNames (CustomResourceDefinitionNames)

    acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.

    CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition

    • acceptedNames.kind (string), required

      kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the kind attribute in API calls.

    • acceptedNames.plural (string), required

      plural is the plural name of the resource to serve. The custom resources are served under /apis/\<group>/\<version>/.../\<plural>. Must match the name of the CustomResourceDefinition (in the form \<names.plural>.\<group>). Must be all lowercase.

    • acceptedNames.categories ([]string)

      categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like kubectl get all.

    • acceptedNames.listKind (string)

      listKind is the serialized kind of the list for this resource. Defaults to "kindList".

    • acceptedNames.shortNames ([]string)

      shortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like kubectl get \<shortname>. It must be all lowercase.

    • acceptedNames.singular (string)

      singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased kind.

  • conditions ([]CustomResourceDefinitionCondition)

    Map: unique values on key type will be kept during a merge

    conditions indicate state for particular aspects of a CustomResourceDefinition

    CustomResourceDefinitionCondition contains details for the current condition of this pod.

    • conditions.status (string), required

      status is the status of the condition. Can be True, False, Unknown.

    • conditions.type (string), required

      type is the type of the condition. Types include Established, NamesAccepted and Terminating.

    • conditions.lastTransitionTime (Time)

      lastTransitionTime last time the condition transitioned from one status to another.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string)

      message is a human-readable message indicating details about last transition.

    • conditions.reason (string)

      reason is a unique, one-word, CamelCase reason for the condition's last transition.

  • storedVersions ([]string)

    storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from spec.versions while they exist in this list.

CustomResourceDefinitionList

CustomResourceDefinitionList is a list of CustomResourceDefinition objects.


Operations


get read the specified CustomResourceDefinition

HTTP Request

GET /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}

Parameters

  • name (in path): string, required

    name of the CustomResourceDefinition

  • pretty (in query): string

    pretty

Response

200 (CustomResourceDefinition): OK

401: Unauthorized

get read status of the specified CustomResourceDefinition

HTTP Request

GET /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}/status

Parameters

  • name (in path): string, required

    name of the CustomResourceDefinition

  • pretty (in query): string

    pretty

Response

200 (CustomResourceDefinition): OK

401: Unauthorized

list list or watch objects of kind CustomResourceDefinition

HTTP Request

GET /apis/apiextensions.k8s.io/v1/customresourcedefinitions

Parameters

Response

200 (CustomResourceDefinitionList): OK

401: Unauthorized

create create a CustomResourceDefinition

HTTP Request

POST /apis/apiextensions.k8s.io/v1/customresourcedefinitions

Parameters

Response

200 (CustomResourceDefinition): OK

201 (CustomResourceDefinition): Created

202 (CustomResourceDefinition): Accepted

401: Unauthorized

update replace the specified CustomResourceDefinition

HTTP Request

PUT /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}

Parameters

Response

200 (CustomResourceDefinition): OK

201 (CustomResourceDefinition): Created

401: Unauthorized

update replace status of the specified CustomResourceDefinition

HTTP Request

PUT /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}/status

Parameters

Response

200 (CustomResourceDefinition): OK

201 (CustomResourceDefinition): Created

401: Unauthorized

patch partially update the specified CustomResourceDefinition

HTTP Request

PATCH /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}

Parameters

  • name (in path): string, required

    name of the CustomResourceDefinition

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (CustomResourceDefinition): OK

201 (CustomResourceDefinition): Created

401: Unauthorized

patch partially update status of the specified CustomResourceDefinition

HTTP Request

PATCH /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}/status

Parameters

  • name (in path): string, required

    name of the CustomResourceDefinition

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (CustomResourceDefinition): OK

201 (CustomResourceDefinition): Created

401: Unauthorized

delete delete a CustomResourceDefinition

HTTP Request

DELETE /apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of CustomResourceDefinition

HTTP Request

DELETE /apis/apiextensions.k8s.io/v1/customresourcedefinitions

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article
DeleteOptions

DeleteOptions

DeleteOptions may be provided when deleting an API object.

import "k8s.io/apimachinery/pkg/apis/meta/v1"

DeleteOptions may be provided when deleting an API object.


  • apiVersion (string)

    APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

  • dryRun ([]string)

    When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

  • gracePeriodSeconds (int64)

    The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.

  • kind (string)

    Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

  • orphanDependents (boolean)

    Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.

  • preconditions (Preconditions)

    Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.

    Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.

    • preconditions.resourceVersion (string)

      Specifies the target ResourceVersion

    • preconditions.uid (string)

      Specifies the target UID.

  • propagationPolicy (string)

    Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.

Read article
LimitRange

LimitRange

LimitRange sets resource usage limits for each kind of resource in a Namespace.

apiVersion: v1

import "k8s.io/api/core/v1"

LimitRange

LimitRange sets resource usage limits for each kind of resource in a Namespace.


LimitRangeSpec

LimitRangeSpec defines a min/max usage limit for resources that match on kind.


  • limits ([]LimitRangeItem), required

    Limits is the list of LimitRangeItem objects that are enforced.

    LimitRangeItem defines a min/max usage limit for any resource that matches on kind.

    • limits.type (string), required

      Type of resource that this limit applies to.

    • limits.default (map[string]Quantity)

      Default resource requirement limit value by resource name if resource limit is omitted.

    • limits.defaultRequest (map[string]Quantity)

      DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.

    • limits.max (map[string]Quantity)

      Max usage constraints on this kind by resource name.

    • limits.maxLimitRequestRatio (map[string]Quantity)

      MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.

    • limits.min (map[string]Quantity)

      Min usage constraints on this kind by resource name.

LimitRangeList

LimitRangeList is a list of LimitRange items.


Operations


get read the specified LimitRange

HTTP Request

GET /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

401: Unauthorized

list list or watch objects of kind LimitRange

HTTP Request

GET /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (LimitRangeList): OK

401: Unauthorized

list list or watch objects of kind LimitRange

HTTP Request

GET /api/v1/limitranges

Parameters

Response

200 (LimitRangeList): OK

401: Unauthorized

create create a LimitRange

HTTP Request

POST /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (LimitRange): OK

201 (LimitRange): Created

202 (LimitRange): Accepted

401: Unauthorized

update replace the specified LimitRange

HTTP Request

PUT /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

Response

200 (LimitRange): OK

201 (LimitRange): Created

401: Unauthorized

patch partially update the specified LimitRange

HTTP Request

PATCH /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

201 (LimitRange): Created

401: Unauthorized

delete delete a LimitRange

HTTP Request

DELETE /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of LimitRange

HTTP Request

DELETE /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article
LocalSubjectAccessReview

LocalSubjectAccessReview

LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.

apiVersion: authorization.k8s.io/v1

import "k8s.io/api/authorization/v1"

LocalSubjectAccessReview

LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.


Operations


create create a LocalSubjectAccessReview

HTTP Request

POST /apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviews

Parameters

Response

200 (LocalSubjectAccessReview): OK

201 (LocalSubjectAccessReview): Created

202 (LocalSubjectAccessReview): Accepted

401: Unauthorized

Read article
Node

Node

Node is a worker node in Kubernetes.

apiVersion: v1

import "k8s.io/api/core/v1"

Node

Node is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd).


NodeSpec

NodeSpec describes the attributes that a node is created with.


  • configSource (NodeConfigSource)

    Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed.

    NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22

    • configSource.configMap (ConfigMapNodeConfigSource)

      ConfigMap is a reference to a Node's ConfigMap

      ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration

      • configSource.configMap.kubeletConfigKey (string), required

        KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.

      • configSource.configMap.name (string), required

        Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.

      • configSource.configMap.namespace (string), required

        Namespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.

      • configSource.configMap.resourceVersion (string)

        ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

      • configSource.configMap.uid (string)

        UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

  • externalID (string)

    Deprecated. Not all kubelets will set this field. Remove field after 1.13. see: https://issues.k8s.io/61966

  • podCIDR (string)

    PodCIDR represents the pod IP range assigned to the node.

  • podCIDRs ([]string)

    podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for each of IPv4 and IPv6.

  • providerID (string)

    ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>

  • taints ([]Taint)

    If specified, the node's taints.

    The node this Taint is attached to has the "effect" on any pod that does not tolerate the Taint.

    • taints.effect (string), required

      Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

    • taints.key (string), required

      Required. The taint key to be applied to a node.

    • taints.timeAdded (Time)

      TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • taints.value (string)

      The taint value corresponding to the taint key.

  • unschedulable (boolean)

    Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration

NodeStatus

NodeStatus is information about the current status of a node.


  • addresses ([]NodeAddress)

    Patch strategy: merge on key type

    List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example.

    NodeAddress contains information for the node's address.

    • addresses.address (string), required

      The node address.

    • addresses.type (string), required

      Node address type, one of Hostname, ExternalIP or InternalIP.

  • allocatable (map[string]Quantity)

    Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.

  • capacity (map[string]Quantity)

    Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity

  • conditions ([]NodeCondition)

    Patch strategy: merge on key type

    Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition

    NodeCondition contains condition information for a node.

    • conditions.status (string), required

      Status of the condition, one of True, False, Unknown.

    • conditions.type (string), required

      Type of node condition.

    • conditions.lastHeartbeatTime (Time)

      Last time we got an update on a given condition.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.lastTransitionTime (Time)

      Last time the condition transit from one status to another.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string)

      Human readable message indicating details about last transition.

    • conditions.reason (string)

      (brief) reason for the condition's last transition.

  • config (NodeConfigStatus)

    Status of the config assigned to the node via the dynamic Kubelet config feature.

    NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.

    • config.active (NodeConfigSource)

      Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error.

      NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22

      • config.active.configMap (ConfigMapNodeConfigSource)

        ConfigMap is a reference to a Node's ConfigMap

        ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration

        • config.active.configMap.kubeletConfigKey (string), required

          KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.

        • config.active.configMap.name (string), required

          Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.

        • config.active.configMap.namespace (string), required

          Namespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.

        • config.active.configMap.resourceVersion (string)

          ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

        • config.active.configMap.uid (string)

          UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

    • config.assigned (NodeConfigSource)

      Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned.

      NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22

      • config.assigned.configMap (ConfigMapNodeConfigSource)

        ConfigMap is a reference to a Node's ConfigMap

        ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration

        • config.assigned.configMap.kubeletConfigKey (string), required

          KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.

        • config.assigned.configMap.name (string), required

          Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.

        • config.assigned.configMap.namespace (string), required

          Namespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.

        • config.assigned.configMap.resourceVersion (string)

          ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

        • config.assigned.configMap.uid (string)

          UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

    • config.error (string)

      Error describes any problems reconciling the Spec.ConfigSource to the Active config. Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting to load or validate the Assigned config, etc. Errors may occur at different points while syncing config. Earlier errors (e.g. download or checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error by fixing the config assigned in Spec.ConfigSource. You can find additional information for debugging by searching the error message in the Kubelet log. Error is a human-readable description of the error state; machines can check whether or not Error is empty, but should not rely on the stability of the Error text across Kubelet versions.

    • config.lastKnownGood (NodeConfigSource)

      LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future.

      NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22

      • config.lastKnownGood.configMap (ConfigMapNodeConfigSource)

        ConfigMap is a reference to a Node's ConfigMap

        ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration

        • config.lastKnownGood.configMap.kubeletConfigKey (string), required

          KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.

        • config.lastKnownGood.configMap.name (string), required

          Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.

        • config.lastKnownGood.configMap.namespace (string), required

          Namespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.

        • config.lastKnownGood.configMap.resourceVersion (string)

          ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

        • config.lastKnownGood.configMap.uid (string)

          UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.

  • daemonEndpoints (NodeDaemonEndpoints)

    Endpoints of daemons running on the Node.

    NodeDaemonEndpoints lists ports opened by daemons running on the Node.

    • daemonEndpoints.kubeletEndpoint (DaemonEndpoint)

      Endpoint on which Kubelet is listening.

      DaemonEndpoint contains information about a single Daemon endpoint.

      • daemonEndpoints.kubeletEndpoint.Port (int32), required

        Port number of the given endpoint.

  • images ([]ContainerImage)

    List of container images on this node

    Describe a container image

    • images.names ([]string)

      Names by which this image is known. e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"]

    • images.sizeBytes (int64)

      The size of the image in bytes.

  • nodeInfo (NodeSystemInfo)

    Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info

    NodeSystemInfo is a set of ids/uuids to uniquely identify the node.

    • nodeInfo.architecture (string), required

      The Architecture reported by the node

    • nodeInfo.bootID (string), required

      Boot ID reported by the node.

    • nodeInfo.containerRuntimeVersion (string), required

      ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2).

    • nodeInfo.kernelVersion (string), required

      Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).

    • nodeInfo.kubeProxyVersion (string), required

      KubeProxy Version reported by the node.

    • nodeInfo.kubeletVersion (string), required

      Kubelet Version reported by the node.

    • nodeInfo.machineID (string), required

      MachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html

    • nodeInfo.operatingSystem (string), required

      The Operating System reported by the node

    • nodeInfo.osImage (string), required

      OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).

    • nodeInfo.systemUUID (string), required

      SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid

  • phase (string)

    NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.

  • volumesAttached ([]AttachedVolume)

    List of volumes that are attached to the node.

    AttachedVolume describes a volume attached to a node

    • volumesAttached.devicePath (string), required

      DevicePath represents the device path where the volume should be available

    • volumesAttached.name (string), required

      Name of the attached volume

  • volumesInUse ([]string)

    List of attachable volumes in use (mounted) by the node.

NodeList

NodeList is the whole list of all Nodes which have been registered with master.


Operations


get read the specified Node

HTTP Request

GET /api/v1/nodes/{name}

Parameters

  • name (in path): string, required

    name of the Node

  • pretty (in query): string

    pretty

Response

200 (Node): OK

401: Unauthorized

get read status of the specified Node

HTTP Request

GET /api/v1/nodes/{name}/status

Parameters

  • name (in path): string, required

    name of the Node

  • pretty (in query): string

    pretty

Response

200 (Node): OK

401: Unauthorized

list list or watch objects of kind Node

HTTP Request

GET /api/v1/nodes

Parameters

Response

200 (NodeList): OK

401: Unauthorized

create create a Node

HTTP Request

POST /api/v1/nodes

Parameters

Response

200 (Node): OK

201 (Node): Created

202 (Node): Accepted

401: Unauthorized

update replace the specified Node

HTTP Request

PUT /api/v1/nodes/{name}

Parameters

  • name (in path): string, required

    name of the Node

  • body: Node, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • pretty (in query): string

    pretty

Response

200 (Node): OK

201 (Node): Created

401: Unauthorized

update replace status of the specified Node

HTTP Request

PUT /api/v1/nodes/{name}/status

Parameters

  • name (in path): string, required

    name of the Node

  • body: Node, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • pretty (in query): string

    pretty

Response

200 (Node): OK

201 (Node): Created

401: Unauthorized

patch partially update the specified Node

HTTP Request

PATCH /api/v1/nodes/{name}

Parameters

  • name (in path): string, required

    name of the Node

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Node): OK

201 (Node): Created

401: Unauthorized

patch partially update status of the specified Node

HTTP Request

PATCH /api/v1/nodes/{name}/status

Parameters

  • name (in path): string, required

    name of the Node

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Node): OK

201 (Node): Created

401: Unauthorized

delete delete a Node

HTTP Request

DELETE /api/v1/nodes/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of Node

HTTP Request

DELETE /api/v1/nodes

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article
Overview of Cloud Native Security

Overview of Cloud Native Security

A model for thinking about Kubernetes security in the context of Cloud Native security.

This overview defines a model for thinking about Kubernetes security in the context of Cloud Native security.

The 4C's of Cloud Native security

You can think about security in layers. The 4C's of Cloud Native security are Cloud, Clusters, Containers, and Code.

The 4C's of Cloud Native Security

Each layer of the Cloud Native security model builds upon the next outermost layer. The Code layer benefits from strong base (Cloud, Cluster, Container) security layers. You cannot safeguard against poor security standards in the base layers by addressing security at the Code level.

Cloud

In many ways, the Cloud (or co-located servers, or the corporate datacenter) is the trusted computing base of a Kubernetes cluster. If the Cloud layer is vulnerable (or configured in a vulnerable way) then there is no guarantee that the components built on top of this base are secure. Each cloud provider makes security recommendations for running workloads securely in their environment.

Cloud provider security

If you are running a Kubernetes cluster on your own hardware or a different cloud provider, consult your documentation for security best practices. Here are links to some of the popular cloud providers' security documentation:

Cloud provider security
IaaS ProviderLink
Alibaba Cloudhttps://www.alibabacloud.com/trust-center
Amazon Web Serviceshttps://aws.amazon.com/security
Google Cloud Platformhttps://cloud.google.com/security
Huawei Cloudhttps://www.huaweicloud.com/securecenter/overallsafety
IBM Cloudhttps://www.ibm.com/cloud/security
Microsoft Azurehttps://docs.microsoft.com/en-us/azure/security/azure-security
Oracle Cloud Infrastructurehttps://www.oracle.com/security
VMware vSpherehttps://www.vmware.com/security/hardening-guides

Infrastructure security

Suggestions for securing your infrastructure in a Kubernetes cluster:

Infrastructure security
Area of Concern for Kubernetes InfrastructureRecommendation
Network access to API Server (Control plane)All access to the Kubernetes control plane is not allowed publicly on the internet and is controlled by network access control lists restricted to the set of IP addresses needed to administer the cluster.
Network access to Nodes (nodes)Nodes should be configured to only accept connections (via network access control lists) from the control plane on the specified ports, and accept connections for services in Kubernetes of type NodePort and LoadBalancer. If possible, these nodes should not be exposed on the public internet entirely.
Kubernetes access to Cloud Provider APIEach cloud provider needs to grant a different set of permissions to the Kubernetes control plane and nodes. It is best to provide the cluster with cloud provider access that follows the principle of least privilege for the resources it needs to administer. The Kops documentation provides information about IAM policies and roles.
Access to etcdAccess to etcd (the datastore of Kubernetes) should be limited to the control plane only. Depending on your configuration, you should attempt to use etcd over TLS. More information can be found in the etcd documentation.
etcd EncryptionWherever possible it's a good practice to encrypt all storage at rest, and since etcd holds the state of the entire cluster (including Secrets) its disk should especially be encrypted at rest.

Cluster

There are two areas of concern for securing Kubernetes:

  • Securing the cluster components that are configurable
  • Securing the applications which run in the cluster

Components of the Cluster

If you want to protect your cluster from accidental or malicious access and adopt good information practices, read and follow the advice about securing your cluster.

Components in the cluster (your application)

Depending on the attack surface of your application, you may want to focus on specific aspects of security. For example: If you are running a service (Service A) that is critical in a chain of other resources and a separate workload (Service B) which is vulnerable to a resource exhaustion attack, then the risk of compromising Service A is high if you do not limit the resources of Service B. The following table lists areas of security concerns and recommendations for securing workloads running in Kubernetes:

Area of Concern for Workload SecurityRecommendation
RBAC Authorization (Access to the Kubernetes API)https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Authenticationhttps://kubernetes.io/docs/concepts/security/controlling-access/
Application secrets management (and encrypting them in etcd at rest)https://kubernetes.io/docs/concepts/configuration/secret/
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
Ensuring that pods meet defined Pod Security Standardshttps://kubernetes.io/docs/concepts/security/pod-security-standards/#policy-instantiation
Quality of Service (and Cluster resource management)https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/
Network Policieshttps://kubernetes.io/docs/concepts/services-networking/network-policies/
TLS for Kubernetes Ingresshttps://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Container

Container security is outside the scope of this guide. Here are general recommendations and links to explore this topic:

Area of Concern for ContainersRecommendation
Container Vulnerability Scanning and OS Dependency SecurityAs part of an image build step, you should scan your containers for known vulnerabilities.
Image Signing and EnforcementSign container images to maintain a system of trust for the content of your containers.
Disallow privileged usersWhen constructing containers, consult your documentation for how to create users inside of the containers that have the least level of operating system privilege necessary in order to carry out the goal of the container.
Use container runtime with stronger isolationSelect container runtime classes that provide stronger isolation.

Code

Application code is one of the primary attack surfaces over which you have the most control. While securing application code is outside of the Kubernetes security topic, here are recommendations to protect application code:

Code security

Code security
Area of Concern for CodeRecommendation
Access over TLS onlyIf your code needs to communicate by TCP, perform a TLS handshake with the client ahead of time. With the exception of a few cases, encrypt everything in transit. Going one step further, it's a good idea to encrypt network traffic between services. This can be done through a process known as mutual TLS authentication or mTLS which performs a two sided verification of communication between two certificate holding services.
Limiting port ranges of communicationThis recommendation may be a bit self-explanatory, but wherever possible you should only expose the ports on your service that are absolutely essential for communication or metric gathering.
3rd Party Dependency SecurityIt is a good practice to regularly scan your application's third party libraries for known security vulnerabilities. Each programming language has a tool for performing this check automatically.
Static Code AnalysisMost languages provide a way for a snippet of code to be analyzed for any potentially unsafe coding practices. Whenever possible you should perform checks using automated tooling that can scan codebases for common security errors. Some of the tools can be found at: https://owasp.org/www-community/Source_Code_Analysis_Tools
Dynamic probing attacksThere are a few automated tools that you can run against your service to try some of the well known service attacks. These include SQL injection, CSRF, and XSS. One of the most popular dynamic analysis tools is the OWASP Zed Attack proxy tool.

What's next

Learn about related Kubernetes security topics:

Read article
Pod

Pod

Pod is a collection of containers that can run on a host.

apiVersion: v1

import "k8s.io/api/core/v1"

Pod

Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.


PodSpec

PodSpec is a description of a pod.


Containers

  • containers ([]Container), required

    Patch strategy: merge on key name

    List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.

  • initContainers ([]Container)

    Patch strategy: merge on key name

    List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

  • ephemeralContainers ([]EphemeralContainer)

    Patch strategy: merge on key name

    List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.

  • imagePullSecrets ([]LocalObjectReference)

    Patch strategy: merge on key name

    ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod

  • enableServiceLinks (boolean)

    EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.

  • os (PodOS)

    Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.

    If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions

    If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[].securityContext.seLinuxOptions - spec.containers[].securityContext.seccompProfile - spec.containers[].securityContext.capabilities - spec.containers[].securityContext.readOnlyRootFilesystem - spec.containers[].securityContext.privileged - spec.containers[].securityContext.allowPrivilegeEscalation - spec.containers[].securityContext.procMount - spec.containers[].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup

    PodOS defines the OS parameters of a pod.

Volumes

Scheduling

  • nodeSelector (map[string]string)

    NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

  • nodeName (string)

    NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.

  • affinity (Affinity)

    If specified, the pod's scheduling constraints

    Affinity is a group of affinity scheduling rules.

    • affinity.nodeAffinity (NodeAffinity)

      Describes node affinity scheduling rules for the pod.

    • affinity.podAffinity (PodAffinity)

      Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

    • affinity.podAntiAffinity (PodAntiAffinity)

      Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

  • tolerations ([]Toleration)

    If specified, the pod's tolerations.

    The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

    • tolerations.key (string)

      Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

    • tolerations.operator (string)

      Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

    • tolerations.value (string)

      Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

    • tolerations.effect (string)

      Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

    • tolerations.tolerationSeconds (int64)

      TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

  • schedulerName (string)

    If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.

  • runtimeClassName (string)

    RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class

  • priorityClassName (string)

    If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.

  • priority (int32)

    The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.

  • preemptionPolicy (string)

    PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.

  • topologySpreadConstraints ([]TopologySpreadConstraint)

    Patch strategy: merge on key topologyKey

    Map: unique values on keys topologyKey, whenUnsatisfiable will be kept during a merge

    TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.

    TopologySpreadConstraint specifies how to spread matching pods among the given topology.

    • topologySpreadConstraints.maxSkew (int32), required

      MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.

    • topologySpreadConstraints.topologyKey (string), required

      TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field.

    • topologySpreadConstraints.whenUnsatisfiable (string), required

      WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it more imbalanced. It's a required field.

    • topologySpreadConstraints.labelSelector (LabelSelector)

      LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

    • topologySpreadConstraints.matchLabelKeys ([]string)

      Atomic: will be replaced during a merge

      MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.

    • topologySpreadConstraints.minDomains (int32)

      MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.

      For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.

      This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).

    • topologySpreadConstraints.nodeAffinityPolicy (string)

      NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.

      If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.

    • topologySpreadConstraints.nodeTaintsPolicy (string)

      NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.

      If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.

  • overhead (map[string]Quantity)

    Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md

Lifecycle

  • restartPolicy (string)

    Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy

  • terminationGracePeriodSeconds (int64)

    Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.

  • activeDeadlineSeconds (int64)

    Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.

  • readinessGates ([]PodReadinessGate)

    If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates

    PodReadinessGate contains the reference to a pod condition

    • readinessGates.conditionType (string), required

      ConditionType refers to a condition in the pod's condition list with matching type.

Hostname and Name resolution

  • hostname (string)

    Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.

  • setHostnameAsFQDN (boolean)

    If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.

  • subdomain (string)

    If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>". If not specified, the pod will not have a domainname at all.

  • hostAliases ([]HostAlias)

    Patch strategy: merge on key ip

    HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.

    HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.

    • hostAliases.hostnames ([]string)

      Hostnames for the above IP address.

    • hostAliases.ip (string)

      IP address of the host file entry.

  • dnsConfig (PodDNSConfig)

    Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.

    PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.

    • dnsConfig.nameservers ([]string)

      A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.

    • dnsConfig.options ([]PodDNSConfigOption)

      A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.

      PodDNSConfigOption defines DNS resolver options of a pod.

      • dnsConfig.options.name (string)

        Required.

      • dnsConfig.options.value (string)

    • dnsConfig.searches ([]string)

      A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.

  • dnsPolicy (string)

    Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.

Hosts namespaces

  • hostNetwork (boolean)

    Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.

  • hostPID (boolean)

    Use the host's pid namespace. Optional: Default to false.

  • hostIPC (boolean)

    Use the host's ipc namespace. Optional: Default to false.

  • shareProcessNamespace (boolean)

    Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.

Service account

Security context

  • securityContext (PodSecurityContext)

    SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.

    PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.

    • securityContext.runAsUser (int64)

      The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.runAsNonRoot (boolean)

      Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

    • securityContext.runAsGroup (int64)

      The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.supplementalGroups ([]int64)

      A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.fsGroup (int64)

      A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:

      1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----

      If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.fsGroupChangePolicy (string)

      fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.seccompProfile (SeccompProfile)

      The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.

      SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.

      • securityContext.seccompProfile.type (string), required

        type indicates which kind of seccomp profile will be applied. Valid options are:

        Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

      • securityContext.seccompProfile.localhostProfile (string)

        localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".

    • securityContext.seLinuxOptions (SELinuxOptions)

      The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

      SELinuxOptions are the labels to be applied to the container

      • securityContext.seLinuxOptions.level (string)

        Level is SELinux level label that applies to the container.

      • securityContext.seLinuxOptions.role (string)

        Role is a SELinux role label that applies to the container.

      • securityContext.seLinuxOptions.type (string)

        Type is a SELinux type label that applies to the container.

      • securityContext.seLinuxOptions.user (string)

        User is a SELinux user label that applies to the container.

    • securityContext.sysctls ([]Sysctl)

      Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.

      Sysctl defines a kernel parameter to be set

      • securityContext.sysctls.name (string), required

        Name of a property to set

      • securityContext.sysctls.value (string), required

        Value of a property to set

    • securityContext.windowsOptions (WindowsSecurityContextOptions)

      The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.

      WindowsSecurityContextOptions contain Windows-specific options and credentials.

      • securityContext.windowsOptions.gmsaCredentialSpec (string)

        GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.

      • securityContext.windowsOptions.gmsaCredentialSpecName (string)

        GMSACredentialSpecName is the name of the GMSA credential spec to use.

      • securityContext.windowsOptions.hostProcess (boolean)

        HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.

      • securityContext.windowsOptions.runAsUserName (string)

        The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

Alpha level

  • hostUsers (boolean)

    Use the host's user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns is created for the pod. Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host. This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.

  • resourceClaims ([]PodResourceClaim)

    Patch strategies: retainKeys, merge on key name

    Map: unique values on key name will be kept during a merge

    ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.

    This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

    This field is immutable.

    PodResourceClaim references exactly one ResourceClaim through a ClaimSource. It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the ResourceClaim reference it with this name.

    • resourceClaims.name (string), required

      Name uniquely identifies this resource claim inside the pod. This must be a DNS_LABEL.

    • resourceClaims.source (ClaimSource)

      Source describes where to find the ResourceClaim.

      *ClaimSource describes a reference to a ResourceClaim.

      Exactly one of these fields should be set. Consumers of this type must treat an empty object as if it has an unknown value.*

      • resourceClaims.source.resourceClaimName (string)

        ResourceClaimName is the name of a ResourceClaim object in the same namespace as this pod.

      • resourceClaims.source.resourceClaimTemplateName (string)

        ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in the same namespace as this pod.

        The template will be used to create a new ResourceClaim, which will be bound to this pod. When this pod is deleted, the ResourceClaim will also be deleted. The name of the ResourceClaim will be <pod name>-<resource name>, where <resource name> is the PodResourceClaim.Name. Pod validation will reject the pod if the concatenated name is not valid for a ResourceClaim (e.g. too long).

        An existing ResourceClaim with that name that is not owned by the pod will not be used for the pod to avoid using an unrelated resource by mistake. Scheduling and pod startup are then blocked until the unrelated ResourceClaim is removed.

        This field is immutable and no changes will be made to the corresponding ResourceClaim by the control plane after creating the ResourceClaim.

  • schedulingGates ([]PodSchedulingGate)

    Patch strategy: merge on key name

    Map: unique values on key name will be kept during a merge

    SchedulingGates is an opaque list of values that if specified will block scheduling the pod. More info: https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness.

    This is an alpha-level feature enabled by PodSchedulingReadiness feature gate.

    PodSchedulingGate is associated to a Pod to guard its scheduling.

    • schedulingGates.name (string), required

      Name of the scheduling gate. Each scheduling gate must have a unique name field.

Deprecated

  • serviceAccount (string)

    DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.

Container

A single application container that you want to run within a pod.


  • name (string), required

    Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.

Image

Entrypoint

  • command ([]string)

    Entrypoint array. Not executed within a shell. The container image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell

  • args ([]string)

    Arguments to the entrypoint. The container image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell

  • workingDir (string)

    Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.

Ports

  • ports ([]ContainerPort)

    Patch strategy: merge on key containerPort

    Map: unique values on keys containerPort, protocol will be kept during a merge

    List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated.

    ContainerPort represents a network port in a single container.

    • ports.containerPort (int32), required

      Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.

    • ports.hostIP (string)

      What host IP to bind the external port to.

    • ports.hostPort (int32)

      Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.

    • ports.name (string)

      If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.

    • ports.protocol (string)

      Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".

Environment variables

  • env ([]EnvVar)

    Patch strategy: merge on key name

    List of environment variables to set in the container. Cannot be updated.

    EnvVar represents an environment variable present in a Container.

    • env.name (string), required

      Name of the environment variable. Must be a C_IDENTIFIER.

    • env.value (string)

      Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

    • env.valueFrom (EnvVarSource)

      Source for the environment variable's value. Cannot be used if value is not empty.

      EnvVarSource represents a source for the value of an EnvVar.

      • env.valueFrom.configMapKeyRef (ConfigMapKeySelector)

        Selects a key of a ConfigMap.

        Selects a key from a ConfigMap.

      • env.valueFrom.fieldRef (ObjectFieldSelector)

        Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['\<KEY>'], metadata.annotations['\<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

      • env.valueFrom.resourceFieldRef (ResourceFieldSelector)

        Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

      • env.valueFrom.secretKeyRef (SecretKeySelector)

        Selects a key of a secret in the pod's namespace

        SecretKeySelector selects a key of a Secret.

  • envFrom ([]EnvFromSource)

    List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.

    EnvFromSource represents the source of a set of ConfigMaps

    • envFrom.configMapRef (ConfigMapEnvSource)

      The ConfigMap to select from

      *ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.

      The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.*

    • envFrom.prefix (string)

      An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.

    • envFrom.secretRef (SecretEnvSource)

      The Secret to select from

      *SecretEnvSource selects a Secret to populate the environment variables with.

      The contents of the target Secret's Data field will represent the key-value pairs as environment variables.*

Volumes

  • volumeMounts ([]VolumeMount)

    Patch strategy: merge on key mountPath

    Pod volumes to mount into the container's filesystem. Cannot be updated.

    VolumeMount describes a mounting of a Volume within a container.

    • volumeMounts.mountPath (string), required

      Path within the container at which the volume should be mounted. Must not contain ':'.

    • volumeMounts.name (string), required

      This must match the Name of a Volume.

    • volumeMounts.mountPropagation (string)

      mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

    • volumeMounts.readOnly (boolean)

      Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

    • volumeMounts.subPath (string)

      Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

    • volumeMounts.subPathExpr (string)

      Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

  • volumeDevices ([]VolumeDevice)

    Patch strategy: merge on key devicePath

    volumeDevices is the list of block devices to be used by the container.

    volumeDevice describes a mapping of a raw block device within a container.

    • volumeDevices.devicePath (string), required

      devicePath is the path inside of the container that the device will be mapped to.

    • volumeDevices.name (string), required

      name must match the name of a persistentVolumeClaim in the pod

Resources

  • resources (ResourceRequirements)

    Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

    ResourceRequirements describes the compute resource requirements.

    • resources.claims ([]ResourceClaim)

      Set: unique values will be kept during a merge

      Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

      This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

      This field is immutable.

      ResourceClaim references one entry in PodSpec.ResourceClaims.

      • resources.claims.name (string), required

        Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

    • resources.limits (map[string]Quantity)

      Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

    • resources.requests (map[string]Quantity)

      Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Lifecycle

  • lifecycle (Lifecycle)

    Actions that the management system should take in response to container lifecycle events. Cannot be updated.

    Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.

    • lifecycle.postStart (LifecycleHandler)

      PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

    • lifecycle.preStop (LifecycleHandler)

      PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

  • terminationMessagePath (string)

    Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.

  • terminationMessagePolicy (string)

    Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.

  • livenessProbe (Probe)

    Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

  • readinessProbe (Probe)

    Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

  • startupProbe (Probe)

    StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

Security Context

  • securityContext (SecurityContext)

    SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

    SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.

    • securityContext.runAsUser (int64)

      The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.runAsNonRoot (boolean)

      Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

    • securityContext.runAsGroup (int64)

      The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.readOnlyRootFilesystem (boolean)

      Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.procMount (string)

      procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.privileged (boolean)

      Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.allowPrivilegeEscalation (boolean)

      AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.

    • securityContext.capabilities (Capabilities)

      The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.

      Adds and removes POSIX capabilities from running containers.

      • securityContext.capabilities.add ([]string)

        Added capabilities

      • securityContext.capabilities.drop ([]string)

        Removed capabilities

    • securityContext.seccompProfile (SeccompProfile)

      The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.

      SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.

      • securityContext.seccompProfile.type (string), required

        type indicates which kind of seccomp profile will be applied. Valid options are:

        Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

      • securityContext.seccompProfile.localhostProfile (string)

        localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".

    • securityContext.seLinuxOptions (SELinuxOptions)

      The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

      SELinuxOptions are the labels to be applied to the container

      • securityContext.seLinuxOptions.level (string)

        Level is SELinux level label that applies to the container.

      • securityContext.seLinuxOptions.role (string)

        Role is a SELinux role label that applies to the container.

      • securityContext.seLinuxOptions.type (string)

        Type is a SELinux type label that applies to the container.

      • securityContext.seLinuxOptions.user (string)

        User is a SELinux user label that applies to the container.

    • securityContext.windowsOptions (WindowsSecurityContextOptions)

      The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.

      WindowsSecurityContextOptions contain Windows-specific options and credentials.

      • securityContext.windowsOptions.gmsaCredentialSpec (string)

        GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.

      • securityContext.windowsOptions.gmsaCredentialSpecName (string)

        GMSACredentialSpecName is the name of the GMSA credential spec to use.

      • securityContext.windowsOptions.hostProcess (boolean)

        HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.

      • securityContext.windowsOptions.runAsUserName (string)

        The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

Debugging

  • stdin (boolean)

    Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.

  • stdinOnce (boolean)

    Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false

  • tty (boolean)

    Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.

EphemeralContainer

An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation.

To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted.


  • name (string), required

    Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.

  • targetContainerName (string)

    If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec.

    The container runtime must implement support for this feature. If the runtime does not support namespace targeting then the result of setting this field is undefined.

Image

Entrypoint

  • command ([]string)

    Entrypoint array. Not executed within a shell. The image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell

  • args ([]string)

    Arguments to the entrypoint. The image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell

  • workingDir (string)

    Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.

Environment variables

  • env ([]EnvVar)

    Patch strategy: merge on key name

    List of environment variables to set in the container. Cannot be updated.

    EnvVar represents an environment variable present in a Container.

    • env.name (string), required

      Name of the environment variable. Must be a C_IDENTIFIER.

    • env.value (string)

      Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

    • env.valueFrom (EnvVarSource)

      Source for the environment variable's value. Cannot be used if value is not empty.

      EnvVarSource represents a source for the value of an EnvVar.

      • env.valueFrom.configMapKeyRef (ConfigMapKeySelector)

        Selects a key of a ConfigMap.

        Selects a key from a ConfigMap.

      • env.valueFrom.fieldRef (ObjectFieldSelector)

        Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['\<KEY>'], metadata.annotations['\<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

      • env.valueFrom.resourceFieldRef (ResourceFieldSelector)

        Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

      • env.valueFrom.secretKeyRef (SecretKeySelector)

        Selects a key of a secret in the pod's namespace

        SecretKeySelector selects a key of a Secret.

  • envFrom ([]EnvFromSource)

    List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.

    EnvFromSource represents the source of a set of ConfigMaps

    • envFrom.configMapRef (ConfigMapEnvSource)

      The ConfigMap to select from

      *ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.

      The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.*

    • envFrom.prefix (string)

      An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.

    • envFrom.secretRef (SecretEnvSource)

      The Secret to select from

      *SecretEnvSource selects a Secret to populate the environment variables with.

      The contents of the target Secret's Data field will represent the key-value pairs as environment variables.*

Volumes

  • volumeMounts ([]VolumeMount)

    Patch strategy: merge on key mountPath

    Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. Cannot be updated.

    VolumeMount describes a mounting of a Volume within a container.

    • volumeMounts.mountPath (string), required

      Path within the container at which the volume should be mounted. Must not contain ':'.

    • volumeMounts.name (string), required

      This must match the Name of a Volume.

    • volumeMounts.mountPropagation (string)

      mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

    • volumeMounts.readOnly (boolean)

      Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

    • volumeMounts.subPath (string)

      Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

    • volumeMounts.subPathExpr (string)

      Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

  • volumeDevices ([]VolumeDevice)

    Patch strategy: merge on key devicePath

    volumeDevices is the list of block devices to be used by the container.

    volumeDevice describes a mapping of a raw block device within a container.

    • volumeDevices.devicePath (string), required

      devicePath is the path inside of the container that the device will be mapped to.

    • volumeDevices.name (string), required

      name must match the name of a persistentVolumeClaim in the pod

Lifecycle

  • terminationMessagePath (string)

    Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.

  • terminationMessagePolicy (string)

    Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.

Debugging

  • stdin (boolean)

    Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.

  • stdinOnce (boolean)

    Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false

  • tty (boolean)

    Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.

Security context

  • securityContext (SecurityContext)

    Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.

    SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.

    • securityContext.runAsUser (int64)

      The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.runAsNonRoot (boolean)

      Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

    • securityContext.runAsGroup (int64)

      The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.readOnlyRootFilesystem (boolean)

      Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.procMount (string)

      procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.privileged (boolean)

      Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.

    • securityContext.allowPrivilegeEscalation (boolean)

      AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.

    • securityContext.capabilities (Capabilities)

      The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.

      Adds and removes POSIX capabilities from running containers.

      • securityContext.capabilities.add ([]string)

        Added capabilities

      • securityContext.capabilities.drop ([]string)

        Removed capabilities

    • securityContext.seccompProfile (SeccompProfile)

      The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.

      SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.

      • securityContext.seccompProfile.type (string), required

        type indicates which kind of seccomp profile will be applied. Valid options are:

        Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

      • securityContext.seccompProfile.localhostProfile (string)

        localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".

    • securityContext.seLinuxOptions (SELinuxOptions)

      The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

      SELinuxOptions are the labels to be applied to the container

      • securityContext.seLinuxOptions.level (string)

        Level is SELinux level label that applies to the container.

      • securityContext.seLinuxOptions.role (string)

        Role is a SELinux role label that applies to the container.

      • securityContext.seLinuxOptions.type (string)

        Type is a SELinux type label that applies to the container.

      • securityContext.seLinuxOptions.user (string)

        User is a SELinux user label that applies to the container.

    • securityContext.windowsOptions (WindowsSecurityContextOptions)

      The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.

      WindowsSecurityContextOptions contain Windows-specific options and credentials.

      • securityContext.windowsOptions.gmsaCredentialSpec (string)

        GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.

      • securityContext.windowsOptions.gmsaCredentialSpecName (string)

        GMSACredentialSpecName is the name of the GMSA credential spec to use.

      • securityContext.windowsOptions.hostProcess (boolean)

        HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.

      • securityContext.windowsOptions.runAsUserName (string)

        The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

Not allowed

  • ports ([]ContainerPort)

    Patch strategy: merge on key containerPort

    Map: unique values on keys containerPort, protocol will be kept during a merge

    Ports are not allowed for ephemeral containers.

    ContainerPort represents a network port in a single container.

    • ports.containerPort (int32), required

      Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.

    • ports.hostIP (string)

      What host IP to bind the external port to.

    • ports.hostPort (int32)

      Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.

    • ports.name (string)

      If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.

    • ports.protocol (string)

      Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".

  • resources (ResourceRequirements)

    Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.

    ResourceRequirements describes the compute resource requirements.

    • resources.claims ([]ResourceClaim)

      Set: unique values will be kept during a merge

      Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

      This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

      This field is immutable.

      ResourceClaim references one entry in PodSpec.ResourceClaims.

      • resources.claims.name (string), required

        Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

    • resources.limits (map[string]Quantity)

      Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

    • resources.requests (map[string]Quantity)

      Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

  • lifecycle (Lifecycle)

    Lifecycle is not allowed for ephemeral containers.

    Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.

    • lifecycle.postStart (LifecycleHandler)

      PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

    • lifecycle.preStop (LifecycleHandler)

      PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks

  • livenessProbe (Probe)

    Probes are not allowed for ephemeral containers.

  • readinessProbe (Probe)

    Probes are not allowed for ephemeral containers.

  • startupProbe (Probe)

    Probes are not allowed for ephemeral containers.

LifecycleHandler

LifecycleHandler defines a specific action that should be taken in a lifecycle hook. One and only one of the fields, except TCPSocket must be specified.


  • exec (ExecAction)

    Exec specifies the action to take.

    ExecAction describes a "run in container" action.

    • exec.command ([]string)

      Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

  • httpGet (HTTPGetAction)

    HTTPGet specifies the http request to perform.

    HTTPGetAction describes an action based on HTTP Get requests.

    • httpGet.port (IntOrString), required

      Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

      IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

    • httpGet.host (string)

      Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

    • httpGet.httpHeaders ([]HTTPHeader)

      Custom headers to set in the request. HTTP allows repeated headers.

      HTTPHeader describes a custom header to be used in HTTP probes

      • httpGet.httpHeaders.name (string), required

        The header field name

      • httpGet.httpHeaders.value (string), required

        The header field value

    • httpGet.path (string)

      Path to access on the HTTP server.

    • httpGet.scheme (string)

      Scheme to use for connecting to the host. Defaults to HTTP.

  • tcpSocket (TCPSocketAction)

    Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.

    TCPSocketAction describes an action based on opening a socket

    • tcpSocket.port (IntOrString), required

      Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

      IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

    • tcpSocket.host (string)

      Optional: Host name to connect to, defaults to the pod IP.

NodeAffinity

Node affinity is a group of node affinity scheduling rules.


  • preferredDuringSchedulingIgnoredDuringExecution ([]PreferredSchedulingTerm)

    The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.

    An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).

    • preferredDuringSchedulingIgnoredDuringExecution.preference (NodeSelectorTerm), required

      A node selector term, associated with the corresponding weight.

      A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

      • preferredDuringSchedulingIgnoredDuringExecution.preference.matchExpressions ([]NodeSelectorRequirement)

        A list of node selector requirements by node's labels.

      • preferredDuringSchedulingIgnoredDuringExecution.preference.matchFields ([]NodeSelectorRequirement)

        A list of node selector requirements by node's fields.

    • preferredDuringSchedulingIgnoredDuringExecution.weight (int32), required

      Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

  • requiredDuringSchedulingIgnoredDuringExecution (NodeSelector)

    If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.

    A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.

    • requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms ([]NodeSelectorTerm), required

      Required. A list of node selector terms. The terms are ORed.

      A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

      • requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms.matchExpressions ([]NodeSelectorRequirement)

        A list of node selector requirements by node's labels.

      • requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms.matchFields ([]NodeSelectorRequirement)

        A list of node selector requirements by node's fields.

PodAffinity

Pod affinity is a group of inter pod affinity scheduling rules.


  • preferredDuringSchedulingIgnoredDuringExecution ([]WeightedPodAffinityTerm)

    The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

    The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

    • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm (PodAffinityTerm), required

      Required. A pod affinity term, associated with the corresponding weight.

      Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.topologyKey (string), required

        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.labelSelector (LabelSelector)

        A label query over a set of resources, in this case pods.

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaceSelector (LabelSelector)

        A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaces ([]string)

        namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

    • preferredDuringSchedulingIgnoredDuringExecution.weight (int32), required

      weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

  • requiredDuringSchedulingIgnoredDuringExecution ([]PodAffinityTerm)

    If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

    Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

    • requiredDuringSchedulingIgnoredDuringExecution.topologyKey (string), required

      This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

    • requiredDuringSchedulingIgnoredDuringExecution.labelSelector (LabelSelector)

      A label query over a set of resources, in this case pods.

    • requiredDuringSchedulingIgnoredDuringExecution.namespaceSelector (LabelSelector)

      A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

    • requiredDuringSchedulingIgnoredDuringExecution.namespaces ([]string)

      namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

PodAntiAffinity

Pod anti affinity is a group of inter pod anti affinity scheduling rules.


  • preferredDuringSchedulingIgnoredDuringExecution ([]WeightedPodAffinityTerm)

    The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

    The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

    • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm (PodAffinityTerm), required

      Required. A pod affinity term, associated with the corresponding weight.

      Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.topologyKey (string), required

        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.labelSelector (LabelSelector)

        A label query over a set of resources, in this case pods.

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaceSelector (LabelSelector)

        A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

      • preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaces ([]string)

        namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

    • preferredDuringSchedulingIgnoredDuringExecution.weight (int32), required

      weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

  • requiredDuringSchedulingIgnoredDuringExecution ([]PodAffinityTerm)

    If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

    Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

    • requiredDuringSchedulingIgnoredDuringExecution.topologyKey (string), required

      This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

    • requiredDuringSchedulingIgnoredDuringExecution.labelSelector (LabelSelector)

      A label query over a set of resources, in this case pods.

    • requiredDuringSchedulingIgnoredDuringExecution.namespaceSelector (LabelSelector)

      A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

    • requiredDuringSchedulingIgnoredDuringExecution.namespaces ([]string)

      namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

Probe

Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.


  • exec (ExecAction)

    Exec specifies the action to take.

    ExecAction describes a "run in container" action.

    • exec.command ([]string)

      Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

  • httpGet (HTTPGetAction)

    HTTPGet specifies the http request to perform.

    HTTPGetAction describes an action based on HTTP Get requests.

    • httpGet.port (IntOrString), required

      Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

      IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

    • httpGet.host (string)

      Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

    • httpGet.httpHeaders ([]HTTPHeader)

      Custom headers to set in the request. HTTP allows repeated headers.

      HTTPHeader describes a custom header to be used in HTTP probes

      • httpGet.httpHeaders.name (string), required

        The header field name

      • httpGet.httpHeaders.value (string), required

        The header field value

    • httpGet.path (string)

      Path to access on the HTTP server.

    • httpGet.scheme (string)

      Scheme to use for connecting to the host. Defaults to HTTP.

  • tcpSocket (TCPSocketAction)

    TCPSocket specifies an action involving a TCP port.

    TCPSocketAction describes an action based on opening a socket

    • tcpSocket.port (IntOrString), required

      Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

      IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

    • tcpSocket.host (string)

      Optional: Host name to connect to, defaults to the pod IP.

  • initialDelaySeconds (int32)

    Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

  • terminationGracePeriodSeconds (int64)

    Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.

  • periodSeconds (int32)

    How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

  • timeoutSeconds (int32)

    Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

  • failureThreshold (int32)

    Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

  • successThreshold (int32)

    Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

  • grpc (GRPCAction)

    GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate.

    **

    • grpc.port (int32), required

      Port number of the gRPC service. Number must be in the range 1 to 65535.

    • grpc.service (string)

      Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

      If this is not specified, the default behavior is defined by gRPC.

PodStatus

PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.


  • nominatedNodeName (string)

    nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.

  • hostIP (string)

    IP address of the host to which the pod is assigned. Empty if not yet scheduled.

  • startTime (Time)

    RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.

    Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

  • phase (string)

    The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:

    Pending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.

    More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase

  • message (string)

    A human readable message indicating details about why the pod is in this condition.

  • reason (string)

    A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'

  • podIP (string)

    IP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.

  • podIPs ([]PodIP)

    Patch strategy: merge on key ip

    podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.

    *IP address information for entries in the (plural) PodIPs field. Each entry includes:

    IP: An IP address allocated to the pod. Routable at least within the cluster.*

    • podIPs.ip (string)

      ip is an IP address (IPv4 or IPv6) assigned to the pod

  • conditions ([]PodCondition)

    Patch strategy: merge on key type

    Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions

    PodCondition contains details for the current condition of this pod.

    • conditions.status (string), required

      Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions

    • conditions.type (string), required

      Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions

    • conditions.lastProbeTime (Time)

      Last time we probed the condition.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.lastTransitionTime (Time)

      Last time the condition transitioned from one status to another.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string)

      Human-readable message indicating details about last transition.

    • conditions.reason (string)

      Unique, one-word, CamelCase reason for the condition's last transition.

  • qosClass (string)

    The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md

  • initContainerStatuses ([]ContainerStatus)

    The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status

    ContainerStatus contains details for the current status of this container.

    • initContainerStatuses.name (string), required

      This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.

    • initContainerStatuses.image (string), required

      The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.

    • initContainerStatuses.imageID (string), required

      ImageID of the container's image.

    • initContainerStatuses.containerID (string)

      Container's ID in the format '<type>://<container_id>'.

    • initContainerStatuses.state (ContainerState)

      Details about the container's current condition.

      ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

      • initContainerStatuses.state.running (ContainerStateRunning)

        Details about a running container

        ContainerStateRunning is a running state of a container.

        • initContainerStatuses.state.running.startedAt (Time)

          Time at which the container was last (re-)started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • initContainerStatuses.state.terminated (ContainerStateTerminated)

        Details about a terminated container

        ContainerStateTerminated is a terminated state of a container.

        • initContainerStatuses.state.terminated.containerID (string)

          Container's ID in the format '<type>://<container_id>'

        • initContainerStatuses.state.terminated.exitCode (int32), required

          Exit status from the last termination of the container

        • initContainerStatuses.state.terminated.startedAt (Time)

          Time at which previous execution of the container started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • initContainerStatuses.state.terminated.finishedAt (Time)

          Time at which the container last terminated

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • initContainerStatuses.state.terminated.message (string)

          Message regarding the last termination of the container

        • initContainerStatuses.state.terminated.reason (string)

          (brief) reason from the last termination of the container

        • initContainerStatuses.state.terminated.signal (int32)

          Signal from the last termination of the container

      • initContainerStatuses.state.waiting (ContainerStateWaiting)

        Details about a waiting container

        ContainerStateWaiting is a waiting state of a container.

        • initContainerStatuses.state.waiting.message (string)

          Message regarding why the container is not yet running.

        • initContainerStatuses.state.waiting.reason (string)

          (brief) reason the container is not yet running.

    • initContainerStatuses.lastState (ContainerState)

      Details about the container's last termination condition.

      ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

      • initContainerStatuses.lastState.running (ContainerStateRunning)

        Details about a running container

        ContainerStateRunning is a running state of a container.

        • initContainerStatuses.lastState.running.startedAt (Time)

          Time at which the container was last (re-)started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • initContainerStatuses.lastState.terminated (ContainerStateTerminated)

        Details about a terminated container

        ContainerStateTerminated is a terminated state of a container.

        • initContainerStatuses.lastState.terminated.containerID (string)

          Container's ID in the format '<type>://<container_id>'

        • initContainerStatuses.lastState.terminated.exitCode (int32), required

          Exit status from the last termination of the container

        • initContainerStatuses.lastState.terminated.startedAt (Time)

          Time at which previous execution of the container started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • initContainerStatuses.lastState.terminated.finishedAt (Time)

          Time at which the container last terminated

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • initContainerStatuses.lastState.terminated.message (string)

          Message regarding the last termination of the container

        • initContainerStatuses.lastState.terminated.reason (string)

          (brief) reason from the last termination of the container

        • initContainerStatuses.lastState.terminated.signal (int32)

          Signal from the last termination of the container

      • initContainerStatuses.lastState.waiting (ContainerStateWaiting)

        Details about a waiting container

        ContainerStateWaiting is a waiting state of a container.

        • initContainerStatuses.lastState.waiting.message (string)

          Message regarding why the container is not yet running.

        • initContainerStatuses.lastState.waiting.reason (string)

          (brief) reason the container is not yet running.

    • initContainerStatuses.ready (boolean), required

      Specifies whether the container has passed its readiness probe.

    • initContainerStatuses.restartCount (int32), required

      The number of times the container has been restarted.

    • initContainerStatuses.started (boolean)

      Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.

  • containerStatuses ([]ContainerStatus)

    The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status

    ContainerStatus contains details for the current status of this container.

    • containerStatuses.name (string), required

      This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.

    • containerStatuses.image (string), required

      The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.

    • containerStatuses.imageID (string), required

      ImageID of the container's image.

    • containerStatuses.containerID (string)

      Container's ID in the format '<type>://<container_id>'.

    • containerStatuses.state (ContainerState)

      Details about the container's current condition.

      ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

      • containerStatuses.state.running (ContainerStateRunning)

        Details about a running container

        ContainerStateRunning is a running state of a container.

        • containerStatuses.state.running.startedAt (Time)

          Time at which the container was last (re-)started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • containerStatuses.state.terminated (ContainerStateTerminated)

        Details about a terminated container

        ContainerStateTerminated is a terminated state of a container.

        • containerStatuses.state.terminated.containerID (string)

          Container's ID in the format '<type>://<container_id>'

        • containerStatuses.state.terminated.exitCode (int32), required

          Exit status from the last termination of the container

        • containerStatuses.state.terminated.startedAt (Time)

          Time at which previous execution of the container started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • containerStatuses.state.terminated.finishedAt (Time)

          Time at which the container last terminated

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • containerStatuses.state.terminated.message (string)

          Message regarding the last termination of the container

        • containerStatuses.state.terminated.reason (string)

          (brief) reason from the last termination of the container

        • containerStatuses.state.terminated.signal (int32)

          Signal from the last termination of the container

      • containerStatuses.state.waiting (ContainerStateWaiting)

        Details about a waiting container

        ContainerStateWaiting is a waiting state of a container.

        • containerStatuses.state.waiting.message (string)

          Message regarding why the container is not yet running.

        • containerStatuses.state.waiting.reason (string)

          (brief) reason the container is not yet running.

    • containerStatuses.lastState (ContainerState)

      Details about the container's last termination condition.

      ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

      • containerStatuses.lastState.running (ContainerStateRunning)

        Details about a running container

        ContainerStateRunning is a running state of a container.

        • containerStatuses.lastState.running.startedAt (Time)

          Time at which the container was last (re-)started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • containerStatuses.lastState.terminated (ContainerStateTerminated)

        Details about a terminated container

        ContainerStateTerminated is a terminated state of a container.

        • containerStatuses.lastState.terminated.containerID (string)

          Container's ID in the format '<type>://<container_id>'

        • containerStatuses.lastState.terminated.exitCode (int32), required

          Exit status from the last termination of the container

        • containerStatuses.lastState.terminated.startedAt (Time)

          Time at which previous execution of the container started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • containerStatuses.lastState.terminated.finishedAt (Time)

          Time at which the container last terminated

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • containerStatuses.lastState.terminated.message (string)

          Message regarding the last termination of the container

        • containerStatuses.lastState.terminated.reason (string)

          (brief) reason from the last termination of the container

        • containerStatuses.lastState.terminated.signal (int32)

          Signal from the last termination of the container

      • containerStatuses.lastState.waiting (ContainerStateWaiting)

        Details about a waiting container

        ContainerStateWaiting is a waiting state of a container.

        • containerStatuses.lastState.waiting.message (string)

          Message regarding why the container is not yet running.

        • containerStatuses.lastState.waiting.reason (string)

          (brief) reason the container is not yet running.

    • containerStatuses.ready (boolean), required

      Specifies whether the container has passed its readiness probe.

    • containerStatuses.restartCount (int32), required

      The number of times the container has been restarted.

    • containerStatuses.started (boolean)

      Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.

  • ephemeralContainerStatuses ([]ContainerStatus)

    Status for any ephemeral containers that have run in this pod.

    ContainerStatus contains details for the current status of this container.

    • ephemeralContainerStatuses.name (string), required

      This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.

    • ephemeralContainerStatuses.image (string), required

      The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images.

    • ephemeralContainerStatuses.imageID (string), required

      ImageID of the container's image.

    • ephemeralContainerStatuses.containerID (string)

      Container's ID in the format '<type>://<container_id>'.

    • ephemeralContainerStatuses.state (ContainerState)

      Details about the container's current condition.

      ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

      • ephemeralContainerStatuses.state.running (ContainerStateRunning)

        Details about a running container

        ContainerStateRunning is a running state of a container.

        • ephemeralContainerStatuses.state.running.startedAt (Time)

          Time at which the container was last (re-)started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • ephemeralContainerStatuses.state.terminated (ContainerStateTerminated)

        Details about a terminated container

        ContainerStateTerminated is a terminated state of a container.

        • ephemeralContainerStatuses.state.terminated.containerID (string)

          Container's ID in the format '<type>://<container_id>'

        • ephemeralContainerStatuses.state.terminated.exitCode (int32), required

          Exit status from the last termination of the container

        • ephemeralContainerStatuses.state.terminated.startedAt (Time)

          Time at which previous execution of the container started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • ephemeralContainerStatuses.state.terminated.finishedAt (Time)

          Time at which the container last terminated

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • ephemeralContainerStatuses.state.terminated.message (string)

          Message regarding the last termination of the container

        • ephemeralContainerStatuses.state.terminated.reason (string)

          (brief) reason from the last termination of the container

        • ephemeralContainerStatuses.state.terminated.signal (int32)

          Signal from the last termination of the container

      • ephemeralContainerStatuses.state.waiting (ContainerStateWaiting)

        Details about a waiting container

        ContainerStateWaiting is a waiting state of a container.

        • ephemeralContainerStatuses.state.waiting.message (string)

          Message regarding why the container is not yet running.

        • ephemeralContainerStatuses.state.waiting.reason (string)

          (brief) reason the container is not yet running.

    • ephemeralContainerStatuses.lastState (ContainerState)

      Details about the container's last termination condition.

      ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

      • ephemeralContainerStatuses.lastState.running (ContainerStateRunning)

        Details about a running container

        ContainerStateRunning is a running state of a container.

        • ephemeralContainerStatuses.lastState.running.startedAt (Time)

          Time at which the container was last (re-)started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • ephemeralContainerStatuses.lastState.terminated (ContainerStateTerminated)

        Details about a terminated container

        ContainerStateTerminated is a terminated state of a container.

        • ephemeralContainerStatuses.lastState.terminated.containerID (string)

          Container's ID in the format '<type>://<container_id>'

        • ephemeralContainerStatuses.lastState.terminated.exitCode (int32), required

          Exit status from the last termination of the container

        • ephemeralContainerStatuses.lastState.terminated.startedAt (Time)

          Time at which previous execution of the container started

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • ephemeralContainerStatuses.lastState.terminated.finishedAt (Time)

          Time at which the container last terminated

          Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

        • ephemeralContainerStatuses.lastState.terminated.message (string)

          Message regarding the last termination of the container

        • ephemeralContainerStatuses.lastState.terminated.reason (string)

          (brief) reason from the last termination of the container

        • ephemeralContainerStatuses.lastState.terminated.signal (int32)

          Signal from the last termination of the container

      • ephemeralContainerStatuses.lastState.waiting (ContainerStateWaiting)

        Details about a waiting container

        ContainerStateWaiting is a waiting state of a container.

        • ephemeralContainerStatuses.lastState.waiting.message (string)

          Message regarding why the container is not yet running.

        • ephemeralContainerStatuses.lastState.waiting.reason (string)

          (brief) reason the container is not yet running.

    • ephemeralContainerStatuses.ready (boolean), required

      Specifies whether the container has passed its readiness probe.

    • ephemeralContainerStatuses.restartCount (int32), required

      The number of times the container has been restarted.

    • ephemeralContainerStatuses.started (boolean)

      Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.

PodList

PodList is a list of Pods.


Operations


get read the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

401: Unauthorized

get read ephemeralcontainers of the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}/ephemeralcontainers

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

401: Unauthorized

get read log of the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}/log

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • container (in query): string

    The container for which to stream logs. Defaults to only container if there is one container in the pod.

  • follow (in query): boolean

    Follow the log stream of the pod. Defaults to false.

  • insecureSkipTLSVerifyBackend (in query): boolean

    insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept the actual log data coming from the real kubelet).

  • limitBytes (in query): integer

    If set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit.

  • pretty (in query): string

    pretty

  • previous (in query): boolean

    Return previous terminated container logs. Defaults to false.

  • sinceSeconds (in query): integer

    A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.

  • tailLines (in query): integer

    If set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime

  • timestamps (in query): boolean

    If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line of log output. Defaults to false.

Response

200 (string): OK

401: Unauthorized

get read status of the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}/status

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

401: Unauthorized

list list or watch objects of kind Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods

Parameters

Response

200 (PodList): OK

401: Unauthorized

list list or watch objects of kind Pod

HTTP Request

GET /api/v1/pods

Parameters

Response

200 (PodList): OK

401: Unauthorized

create create a Pod

HTTP Request

POST /api/v1/namespaces/{namespace}/pods

Parameters

Response

200 (Pod): OK

201 (Pod): Created

202 (Pod): Accepted

401: Unauthorized

update replace the specified Pod

HTTP Request

PUT /api/v1/namespaces/{namespace}/pods/{name}

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • body: Pod, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

201 (Pod): Created

401: Unauthorized

update replace ephemeralcontainers of the specified Pod

HTTP Request

PUT /api/v1/namespaces/{namespace}/pods/{name}/ephemeralcontainers

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • body: Pod, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

201 (Pod): Created

401: Unauthorized

update replace status of the specified Pod

HTTP Request

PUT /api/v1/namespaces/{namespace}/pods/{name}/status

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • body: Pod, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

201 (Pod): Created

401: Unauthorized

patch partially update the specified Pod

HTTP Request

PATCH /api/v1/namespaces/{namespace}/pods/{name}

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

201 (Pod): Created

401: Unauthorized

patch partially update ephemeralcontainers of the specified Pod

HTTP Request

PATCH /api/v1/namespaces/{namespace}/pods/{name}/ephemeralcontainers

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

201 (Pod): Created

401: Unauthorized

patch partially update status of the specified Pod

HTTP Request

PATCH /api/v1/namespaces/{namespace}/pods/{name}/status

Parameters

  • name (in path): string, required

    name of the Pod

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Pod): OK

201 (Pod): Created

401: Unauthorized

delete delete a Pod

HTTP Request

DELETE /api/v1/namespaces/{namespace}/pods/{name}

Parameters

Response

200 (Pod): OK

202 (Pod): Accepted

401: Unauthorized

deletecollection delete collection of Pod

HTTP Request

DELETE /api/v1/namespaces/{namespace}/pods

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article
Service

Service

Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.

apiVersion: v1

import "k8s.io/api/core/v1"

Service

Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.


ServiceSpec

ServiceSpec describes the attributes that a user creates on a service.


  • selector (map[string]string)

    Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/

  • ports ([]ServicePort)

    Patch strategy: merge on key port

    Map: unique values on keys port, protocol will be kept during a merge

    The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

    ServicePort contains information on service's port.

    • ports.port (int32), required

      The port that will be exposed by this service.

    • ports.targetPort (IntOrString)

      Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

      IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

    • ports.protocol (string)

      The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". Default is TCP.

    • ports.name (string)

      The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.

    • ports.nodePort (int32)

      The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

    • ports.appProtocol (string)

      The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.

  • type (string)

    type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. "ClusterIP" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is "None", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. "NodePort" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. "LoadBalancer" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. "ExternalName" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

  • ipFamilies ([]string)

    Atomic: will be replaced during a merge

    IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. Valid values are "IPv4" and "IPv6". This field only applies to Services of types ClusterIP, NodePort, and LoadBalancer, and does apply to "headless" services. This field will be wiped when updating a Service to type ExternalName.

    This field may hold a maximum of two entries (dual-stack families, in either order). These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.

  • ipFamilyPolicy (string)

    IPFamilyPolicy represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to SingleStack. Services can be "SingleStack" (a single IP family), "PreferDualStack" (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or "RequireDualStack" (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field. This field will be wiped when updating a service to type ExternalName.

  • clusterIP (string)

    clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above). Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

  • clusterIPs ([]string)

    Atomic: will be replaced during a merge

    ClusterIPs is a list of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be empty) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above). Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. If this field is not specified, it will be initialized from the clusterIP field. If this field is specified, clients must ensure that clusterIPs[0] and clusterIP have the same value.

    This field may hold a maximum of two entries (dual-stack IPs, in either order). These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

  • externalIPs ([]string)

    externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.

  • sessionAffinity (string)

    Supports "ClientIP" and "None". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

  • loadBalancerIP (string)

    Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.

  • loadBalancerSourceRanges ([]string)

    If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/

  • loadBalancerClass (string)

    loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.

  • externalName (string)

    externalName is the external reference that discovery mechanisms will return as an alias for this service (e.g. a DNS CNAME record). No proxying will be involved. Must be a lowercase RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires type to be "ExternalName".

  • externalTrafficPolicy (string)

    externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get "Cluster" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.

  • internalTrafficPolicy (string)

    InternalTrafficPolicy describes how nodes distribute service traffic they receive on the ClusterIP. If set to "Local", the proxy will assume that pods only want to talk to endpoints of the service on the same node as the pod, dropping the traffic if there are no local endpoints. The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features).

  • healthCheckNodePort (int32)

    healthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used. If not specified, a value will be automatically allocated. External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type). This field cannot be updated once set.

  • publishNotReadyAddresses (boolean)

    publishNotReadyAddresses indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready. The primary use case for setting this field is for a StatefulSet's Headless Service to propagate SRV DNS records for its Pods for the purpose of peer discovery. The Kubernetes controllers that generate Endpoints and EndpointSlice resources for Services interpret this to mean that all endpoints are considered "ready" even if the Pods themselves are not. Agents which consume only Kubernetes generated endpoints through the Endpoints or EndpointSlice resources can safely assume this behavior.

  • sessionAffinityConfig (SessionAffinityConfig)

    sessionAffinityConfig contains the configurations of session affinity.

    SessionAffinityConfig represents the configurations of session affinity.

    • sessionAffinityConfig.clientIP (ClientIPConfig)

      clientIP contains the configurations of Client IP based session affinity.

      ClientIPConfig represents the configurations of Client IP based session affinity.

      • sessionAffinityConfig.clientIP.timeoutSeconds (int32)

        timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". Default value is 10800(for 3 hours).

  • allocateLoadBalancerNodePorts (boolean)

    allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.

ServiceStatus

ServiceStatus represents the current status of a service.


  • conditions ([]Condition)

    Patch strategy: merge on key type

    Map: unique values on key type will be kept during a merge

    Current service state

    Condition contains details for one aspect of the current state of this API Resource.

    • conditions.lastTransitionTime (Time), required

      lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string), required

      message is a human readable message indicating details about the transition. This may be an empty string.

    • conditions.reason (string), required

      reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

    • conditions.status (string), required

      status of the condition, one of True, False, Unknown.

    • conditions.type (string), required

      type of condition in CamelCase or in foo.example.com/CamelCase.

    • conditions.observedGeneration (int64)

      observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

  • loadBalancer (LoadBalancerStatus)

    LoadBalancer contains the current status of the load-balancer, if one is present.

    LoadBalancerStatus represents the status of a load-balancer.

    • loadBalancer.ingress ([]LoadBalancerIngress)

      Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.

      LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.

      • loadBalancer.ingress.hostname (string)

        Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)

      • loadBalancer.ingress.ip (string)

        IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)

      • loadBalancer.ingress.ports ([]PortStatus)

        Atomic: will be replaced during a merge

        Ports is a list of records of service ports If used, every port defined in the service should have an entry in it

        **

        • loadBalancer.ingress.ports.port (int32), required

          Port is the port number of the service port of which status is recorded here

        • loadBalancer.ingress.ports.protocol (string), required

          Protocol is the protocol of the service port of which status is recorded here The supported values are: "TCP", "UDP", "SCTP"

        • loadBalancer.ingress.ports.error (string)

          Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use CamelCase names

          • cloud provider specific error values must have names that comply with the format foo.example.com/CamelCase.

ServiceList

ServiceList holds a list of services.


Operations


get read the specified Service

HTTP Request

GET /api/v1/namespaces/{namespace}/services/{name}

Parameters

  • name (in path): string, required

    name of the Service

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (Service): OK

401: Unauthorized

get read status of the specified Service

HTTP Request

GET /api/v1/namespaces/{namespace}/services/{name}/status

Parameters

  • name (in path): string, required

    name of the Service

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (Service): OK

401: Unauthorized

list list or watch objects of kind Service

HTTP Request

GET /api/v1/namespaces/{namespace}/services

Parameters

Response

200 (ServiceList): OK

401: Unauthorized

list list or watch objects of kind Service

HTTP Request

GET /api/v1/services

Parameters

Response

200 (ServiceList): OK

401: Unauthorized

create create a Service

HTTP Request

POST /api/v1/namespaces/{namespace}/services

Parameters

Response

200 (Service): OK

201 (Service): Created

202 (Service): Accepted

401: Unauthorized

update replace the specified Service

HTTP Request

PUT /api/v1/namespaces/{namespace}/services/{name}

Parameters

Response

200 (Service): OK

201 (Service): Created

401: Unauthorized

update replace status of the specified Service

HTTP Request

PUT /api/v1/namespaces/{namespace}/services/{name}/status

Parameters

Response

200 (Service): OK

201 (Service): Created

401: Unauthorized

patch partially update the specified Service

HTTP Request

PATCH /api/v1/namespaces/{namespace}/services/{name}

Parameters

  • name (in path): string, required

    name of the Service

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Service): OK

201 (Service): Created

401: Unauthorized

patch partially update status of the specified Service

HTTP Request

PATCH /api/v1/namespaces/{namespace}/services/{name}/status

Parameters

  • name (in path): string, required

    name of the Service

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (Service): OK

201 (Service): Created

401: Unauthorized

delete delete a Service

HTTP Request

DELETE /api/v1/namespaces/{namespace}/services/{name}

Parameters

Response

200 (Service): OK

202 (Service): Accepted

401: Unauthorized

deletecollection delete collection of Service

HTTP Request

DELETE /api/v1/namespaces/{namespace}/services

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article
ServiceAccount

ServiceAccount

ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets.

apiVersion: v1

import "k8s.io/api/core/v1"

ServiceAccount

ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets


  • apiVersion: v1

  • kind: ServiceAccount

  • metadata (ObjectMeta)

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  • automountServiceAccountToken (boolean)

    AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.

  • imagePullSecrets ([]LocalObjectReference)

    ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod

  • secrets ([]ObjectReference)

    Patch strategy: merge on key name

    Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret

ServiceAccountList

ServiceAccountList is a list of ServiceAccount objects


Operations


get read the specified ServiceAccount

HTTP Request

GET /api/v1/namespaces/{namespace}/serviceaccounts/{name}

Parameters

  • name (in path): string, required

    name of the ServiceAccount

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (ServiceAccount): OK

401: Unauthorized

list list or watch objects of kind ServiceAccount

HTTP Request

GET /api/v1/namespaces/{namespace}/serviceaccounts

Parameters

Response

200 (ServiceAccountList): OK

401: Unauthorized

list list or watch objects of kind ServiceAccount

HTTP Request

GET /api/v1/serviceaccounts

Parameters

Response

200 (ServiceAccountList): OK

401: Unauthorized

create create a ServiceAccount

HTTP Request

POST /api/v1/namespaces/{namespace}/serviceaccounts

Parameters

Response

200 (ServiceAccount): OK

201 (ServiceAccount): Created

202 (ServiceAccount): Accepted

401: Unauthorized

update replace the specified ServiceAccount

HTTP Request

PUT /api/v1/namespaces/{namespace}/serviceaccounts/{name}

Parameters

Response

200 (ServiceAccount): OK

201 (ServiceAccount): Created

401: Unauthorized

patch partially update the specified ServiceAccount

HTTP Request

PATCH /api/v1/namespaces/{namespace}/serviceaccounts/{name}

Parameters

  • name (in path): string, required

    name of the ServiceAccount

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ServiceAccount): OK

201 (ServiceAccount): Created

401: Unauthorized

delete delete a ServiceAccount

HTTP Request

DELETE /api/v1/namespaces/{namespace}/serviceaccounts/{name}

Parameters

Response

200 (ServiceAccount): OK

202 (ServiceAccount): Accepted

401: Unauthorized

deletecollection delete collection of ServiceAccount

HTTP Request

DELETE /api/v1/namespaces/{namespace}/serviceaccounts

Parameters

Response

200 (Status): OK

401: Unauthorized

Read article

Interested?
Signup now!

Login / Signup as

Post task and get it done by experts

Find great opportunities and enjoy reading

arrow-image